70 likes | 444 Views
Network Security Principles & Practices. By Saadat Malik Cisco Press 2003. – Chapter 2 – Defining Security Zones. What are security zones? DMZ Cisco PIX firewalls. Network Architecture. The topological design of a network is one of the best defenses against network attacks.
E N D
Network Security Principles & Practices By Saadat Malik Cisco Press 2003
– Chapter 2 – Defining Security Zones • What are security zones? • DMZ • Cisco PIX firewalls Network Security
Network Architecture • The topological design of a network is one of the best defenses against network attacks. • Using zones to segregate various areas of the network from each other. • Different zones of the same network have different security needs. • Better scalability Network Security
Zoning strategies • Greater security needs, more secure zones • Controlled access to zones • Publicly accessed servers are placed in separate zones from private servers. • To achieve highest security, each server is placed in a separate zone. Why? • The ‘defense in depth principle’ - Firewalls are used to separate the zones. Network Security
DMZ • Different ways of creating demilitarized zones: • Using a 3-legged firewall • Placing the DMZ outside the firewall ‘Bastion hosts’ are placed in the DMZ. • In the path between a firewall and the Internet • Dirty DMZ Rationale ? • Placing the DMZ between stacked firewalls Network Security
Cisco PIX Firewall • Multiple interfaces, each with its own security level (lowest 0 .. 100 highest) • May support multiple security zones, thus allowing multiple DMZs to be set up • In general, a computer/device in a lower security zone cannot access computer/device in a higher security zone, unless a ‘hole’ is created. • Each security zone should have a unique number. Network Security
Cisco PIX Firewall • Example configuration: • nameif ethernet0 outside security0 • nameif ethernet1 inside security100 • nameif ethernet2 dmz security50 Network Security