Network Topology Internet Banking by fwv60362

VIEWS: 525 PAGES: 35

More Info
									Network Security Topologies



          Chapter 11
           Learning Objectives

   Identify place and role of the demilitarized
    zone
   NAT and PAT
   Tunneling in network security
   Describe security features of VLANS
   Network perimeter’s importance to an
    organization’s security policies
    Perimeter Security Topologies

   Any network that is connected (directly or
    indirectly) to your organization, but is not
    controlled by your organization, represents a risk.
   Firewalls deployed on the network edge enforce
    security policies and create choke points on
    network perimeters.
   Include demilitarized zones (DMZs) extranets,
    and intranets


                                                   continued…
    Perimeter Security Topologies

   The firewall must be the gateway for all
    communications between trusted networks,
    untrusted and unknown networks.
   The firewall should selectively admit or deny
    data flows from other networks based on several
    criteria:
       Type (protocol)
       Source
       Destination
       Content
Three-tiered Architecture

                Outermost perimeter
                    Router used to separate
                     network from ISP’s
                     network
                    Identifies separation point
                     between assets you control
                     and those you do not
                    Most insecure area of a
                     network infrastructure
                    Normally reserved for
                     routers, firewalls, public
                     Internet servers (HTTP,
                     FTP, Gopher)
                    Not for sensitive company
                     information that is for
                     internal use only
Three-tiered Architecture

                Outermost perimeter

                Internal perimeters
                    Represent additional
                     boundaries where other
                     security measures are in
                     place
                    multiple internal
                     perimeters are relative to a
                     particular asset, such as the
                     internal perimeter that is
                     just inside the firewall.

                Innermost perimeter
Network Classifications
               When a network manager
                creates a network security
                policy, each network that
                makes up the topology
                must be classified as one
                of three types of
                networks:
                  Trusted

                  Semi-trusted

                  Untrusted
Trusted Networks

         When you set up the firewall, you
          explicitly identify the type of
          networks via network adapter cards.
          After the initial configuration, the
          trusted networks include the firewall
          and all networks behind it.
         VPNs are exceptions - security
          mechanisms must exist by which the
          firewall can authenticate the origin,
          data integrity, and other security
          principles contained within the
          network traffic according to the same
          security principles enforced on your
          trusted networks.
Semi-Trusted Networks

               Allow access to some
                database materials and e-
                mail
               May include DNS, proxy,
                and modem servers
               Not for confidential or
                proprietary information
               Referred to as the
                demilitarized zone (DMZ)
Untrusted Networks

              Outside your security
               perimeter and control,
               however you may still
               need and want to
               communicate with these
               networks.
              When you set up the
               firewall, you explicitly
               identify the untrusted
               networks from which
               that firewall can accept
               requests.
Unknown Networks

             Unknown networks are
              neither trusted nor
              untrusted
             By default, all nontrusted
              networks are considered
              unknown networks
             You can identify unknown
              networks below the
              Internet node and apply
              more specialized policies
              to those untrusted
              networks.
Two Perimeter Networks

                 Positioning your firewall
                  between an internal and
                  external router provides
                  little additional protection
                  from attacks on either side,
                  but it greatly reduces the
                  amount of traffic that the
                  firewall must evaluate,
                  which can increase the
                  firewall's performance.
    Creating and Developing Your
           Security Design
   Know your enemy
      Security measures can’t stop all unauthorized tasks;

        they can only make it harder.
      The goal is to make sure that security controls are

        beyond the attacker's ability or motivation.
   Know the costs and weigh those costs against the
    potential benefits.
   Identify assumptions - For example, you might assume
    that your network is not tapped, that attackers know less
    than you do, that they are using standard software, or that
    a locked room is safe.
    Creating and Developing Your
           Security Design
   Control secrets - What knowledge would enable someone
    to circumvent your system?
   Know your weaknesses and how it can be exploited
   Limit the scope of access - create appropriate barriers in
    your system so that if intruders access one part of the
    system, they do not automatically have access to the rest
    of the system.
   Understand your environment - Auditing tools can help
    you detect those unusual events.
   Limit your trust: people, software and hardware
DMZ

    Used by a company to host its
     own Internet services without
     sacrificing unauthorized access
     to its private network
    Sits between Internet and
     internal network’s line of
     defense, usually some
     combination of firewalls and
     bastion hosts
    Traffic originating from it
     should be filtered


                          continued…
                       DMZ

   Typically contains devices accessible to
    Internet traffic
       Web (HTTP) servers
       FTP servers
       SMTP (e-mail) servers
       DNS servers
   Optional, more secure approach to a simple
    firewall; may include a proxy server
            DMZ Design Goals

   Minimize scope of damage
   Protect sensitive data on the server
   Detect the compromise as soon as possible
   Minimize effect of the compromise on other
    organizations
   The bastion host is not able to initiate a session
    back into the private network. It can only forward
    packets that have already been requested.
               DMZ Design Goals

   A useful mechanism to meet goals is to add the
    filtering of traffic initiated from the DMZ
    network to the Internet, impairs an attacker's
    ability to have a vulnerable host communicate to
    the attacker's host
       keep the vulnerable host from being exploited
        altogether
       keep a compromised host from being used as a traffic-
        generating agent in distributed denial-of-service
        attacks.
       The key is to limit traffic to only what is needed, and
        to drop what is not required, even if the traffic is not a
        direct threat to your internal network
             DMZ Design Goals

   Filtering DMZ traffic would identify
       traffic coming in from the DMZ interface of
        the firewall or
       router that appears to have a source IP address
        on a network other the DMZ network number
        (spoofed traffic).
   the firewall or router should be configured
    to initiate a log message or rule alert to
    notify administrator
                     Intranet

   Typically a collection of all LANs inside the
    firewall (campus network.)
   Either a network topology or application (usually
    a Web portal) used as a single point of access to
    deliver services to employees
   Shares company information and computing
    resources among employees
   Allows access to public Internet through firewalls
    that screen communications in both directions to
    maintain company security


                                                  continued…
                         Extranet

   Private network that uses Internet protocol and
    public telecommunication system to provide
    various levels of accessibility to outsiders
   Requires security and privacy
       Firewall management
       Issuance and use of digital certificates or other user
        authentication
       Encryption of messages
       Use of VPNs that tunnel through the public network
                           Extranet

   Companies can use an extranet to:
       Exchange large volumes of data
       Share product catalogs exclusively with wholesalers or those in
        the trade
       Collaborate with other companies on joint development efforts
       Jointly develop and use training programs with other companies
       Provide or access services provided by one company to a group
        of other companies, such as an online banking application
        managed by one company on behalf of affiliated banks
       Share news of common interest exclusively with partner
        companies
Network Address Translation (NAT)

    Internet standard that enables a LAN to use
     one set of IP addresses for internal traffic
     and a second set for external traffic
    Provides a type of firewall by hiding
     internal IP addresses
    Enables a company to use more internal IP
     addresses.
                       NAT

   Most often used to map IPs from
    nonroutable private address spaces defined
    by RFC 1918 that either do not require
    external access or require limited access to
    outside services
       A 10.0.0.0 … 10.255.255.255
       B 172.16.0.0 … 172.31.255.255
       C 192.168.0.0 … 192.168.255.255
                         NAT

   Static NAT and dynamic NAT
       Dynamic NAT is more complex because state
        must be maintained, and connections must be
        rejected when the pool is exhausted.
       Unlike static NAT, dynamic NAT enables
        address reuse, reducing the demand for legally
        registered public addresses.
                                PAT

   Port Address Translation (PAT)
       Variation of dynamic NAT
       Allows many hosts to share a single IP address by multiplexing
        streams differentiated by TCP/UDP port numbers
       suppose private hosts 192.168.0.2 and 192.168.0.3 both send
        packets from source port 1108. A PAT router might translate
        these to a single public IP address 206.245.160.1 and two
        different source ports, say 61001 and 61002.
       Because PAT maps individual ports, it is not possible to "reverse
        map" incoming connections for other ports unless another table is
        configured
                      PAT and NAT
   In some cases, static NAT, dynamic NAT, PAT, and even
    bidirectional NAT or PAT may be used together
       Web servers can be reached from the Internet without NAT,
        because they live in public address space.
       Simple Mail Transfer Protocol (SMTP) must be continuously
        accessible through a public address associated with DNS entry,
        the mail server requires static mapping (either a limited-purpose
        virtual server table or static NAT).
       For most clients, public address sharing is usually practical
        through dynamically acquired addresses (either dynamic NAT
        with a correctly sized address pool, or PAT).
       Applications that hold onto dynamically acquired addresses for
        long periods could exhaust a dynamic NAT address pool and
        block access by other clients. To prevent this, PAT is used
        because it enables higher concurrency (thousands of port
        mappings per IP address)
                          Tunneling




   Enables a network to securely send its data through untrusted/shared
    network infrastructure
   Encrypts and encapsulates a network protocol within packets carried
    by second network
   Replacing WAN links because of security and low cost
   An option for most IP connectivity requirements
              Example of a Tunnel



   a router with Internet Protocol Security (IPSec) encryption
    capabilities is deployed as a gateway on each LAN's Internet
    connection.
   The routers are configured for a point-to-point VPN tunnel, which
    uses encryption to build a virtual connection between the two offices.
   When a router sees traffic on its LAN that is destined for the VPN, it
    communicates to the other side instructing it to build the tunnel
   Once the two routers have negotiated a secure encrypted connection,
    traffic from the originating host is encrypted using the agreed-upon
    settings and sent to the peer router.
Virtual Local Area Networks (VLANs)

                     Deployed using network
                      switches
                     Used throughout
                      networks to segment
                      different hosts from each
                      other
                     Often coupled with a
                      trunk, which allows
                      switches to share many
                      VLANs over a single
                      physical link
Benefits of VLANs

            Network flexibility
            Scalability
            Increased
             performance
            Some security
             features
        Security Features of VLANs
   Can be configured to group together users in same group
    or team, no matter the location
   Offer some protection when sniffers are inserted
   Protect unused switch ports by moving them all to a
    separate VLAN
   Use an air gap to separate trusted from untrusted
    networks:
       Do not allow the same switch or network of switches to provide
        connectivity to networks segregated by firewalls.
       A switch that has direct connections to untrusted networks
        (Internet) or semitrusted networks (DMZs), should never be used
        to contain trusted network segments as well.
    Vulnerabilities of VLAN Trunks

   Trunk traffic does not pass through the router,
    therefore no packet filtering.
   Trunk autonegotiation – on by default
       Prevention: Disable autonegotiation on all ports and
        only allow trunk traffic on trunk ports
   By default, trunk links are permitted to carry
    traffic from all VLANs
       Prevention: Manually configure all trunk links with
        the VLANs that are permitted to traverse them
        (Pruning)
              Chapter Summary

   Technologies used to create network
    topologies that secure data and networked
    resources
       Perimeter networks
       Network address translation (NAT)
       Virtual local area networks (VLANs)

								
To top