1 / 16

Network Security

Network Security. DMZ (De-Militarized Zone). General Framework. What is a DMZ?. A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet Also known as a

Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Security DMZ (De-Militarized Zone)

  2. General Framework J. Wang. Computer Network Security Theory and Practice. Springer 2008

  3. What is a DMZ? • A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet • Also known as a • Data Management Zone or • Demarcation Zone • Perimeter Network

  4. Typical components of DMZ network • Web servers that need to be made available to the general public, such as company's primary Web presence advertising its products or services. • Public DNS servers that resolve the names in your domain for users outside your organization to the appropriate IP addresses. • Public FTP servers on which you provide files to the public • Downloads of your product manuals or • Software drivers • Anonymous SMTP relays that forward e-mail from the Internet to internal mail server(s) • Servers running h complex e-commerce Internet and extranet applications • Proxy Servers

  5. Split Configurations • Mail services can be split between servers on the DMZ and the internal network. • Internal mail server handles e-mail from one computer to another on the internal network. • Mail that comes in or is sent to computers outside the internal network over the Internet is handled by an SMTP gateway located in the DMZ. • For e-commerce systems • Front-end server, directly accessible by Internet users is in the DMZ, • Back-end servers that store sensitive information are on the internal network.

  6. DMZ with two firewalls • DMZ that uses two firewalls, called a back to back DMZ. • An advantage of this configuration is that you can put a fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, • Place a slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers

  7. Tri-homed DMZ • When a single firewall is used to create a DMZ, it's called a trihomed DMZ. • The firewall computer or appliance has interfaces to three separate networks: • The internal interface to the trusted network (the internal LAN) • The external interface to the untrusted network (the public Internet) • The interface to the semi-trusted network (the DMZ)

  8. Creating a DMZ Infrastructure • Two important characteristics of the DMZ are: • A different network ID from the internal network • A DMZ can use either public or private IP addresses, depending on its architecture • subnet the IP address block that is assigned by your ISP • If using private IP addresses for the DMZ, a Network Address Translation (NAT) device will be required • It is separated from both the Internet and the internal network by a firewall

  9. Security of DMZ • The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories: • DMZs designed for unauthenticated or anonymous access • DMZs designed for authenticated access

  10. Host Security on the DMZ • Be sure to set strong passwords and use RADIUS or other certificate based authentication for accessing the management console remotely. • To allow you to manage the router through a Web page, it runs an HTTP server. It is a good security practice to disable the HTTP server, as it can serve as a point of attack. • username richard privilege 15 secret bigXdogYlover • Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER • Router(config)# ip http server  • Router(config)# ip http authentication local  • Set up your VTY access for SSH (optional, but recommended):  • Router(config)# username name secret password  • Router(config)# line vty 0 4 • Router(config-line)# transport input ssh • Router(config-line)# transport output ssh • Router(config-line) login local • Different privilege levels to users • Router(config)#privilege exec all level 5 show ip

  11. Example Network

  12. Specify Traffic exiting corporate network • The corporate network zone houses private servers and internal clients. No other network should be able to access it. • Configure an extended access list to specify which traffic can exit out the network • GAD(config)#access-list 101 permit ip 10.10.10.0 0.0.0.255 any • GAD(config)#access-list 101 deny ip any any • GAD(config)#interface fa1 • GAD(config-if)#ip access-group 101 in • Can Host A ping the Web Server? • Can Host A ping Host B? • Can Host B ping the Web Server? • Can Host B ping Host A? 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

  13. Limit Traffic allowed into corporate network • traffic can be allowed into the corporate network must be limited. • Traffic entering the corporate network will be coming from either the Internet or the DMZ. • Allow all traffic that originated from the corporate network can be allowed back into that network. Enter the following: • GAD(config)#access-list 102 permit tcp any anyestablished • Permit ICMP into the network. This will allow the internal hosts to receive ICMP messages • GAD(config)#access-list 102 permit icmp any any echo-reply • GAD(config)#access-list 102 permit icmp any anyunreachable • No other traffic is desired into the corporate network • GAD(config)#access-list 102 deny ip any any • Finally, apply the access-list to the corporate network Fast Ethernet port. • GAD(config)#interface ethernet1 • GAD(config-if)#ip access-group 102 out 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

  14. Limit Traffic to Corporate Network • Traffic that can be allowed into the corporate network must be limited. • Traffic entering the corporate network will be coming from either the Internet or the DMZ. • Allow all traffic that originated from the corporate network can be allowed back into that network. Enter the following: • GAD(config)#access-list 102 permit tcp any anyestablished • Permit ICMP into the network. This will allow the internal hosts to receive ICMP messages • GAD(config)#access-list 102 permit icmp any any echo-reply • GAD(config)#access-list 102 permit icmp any anyunreachable • No other traffic is desired into the corporate network • GAD(config)#access-list 102 deny ip any any • Finally, apply the access-list to the corporate network Fast Ethernet port. • GAD(config)#interface ethernet1 • GAD(config-if)#ip access-group 102 out 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24 Can Host A ping the Web Server? Can Host A ping Host B? Can Host B ping the Web Server? Can Host B ping Host A

  15. Protect the DMZ Network • The DMZ network will house only one external server that will provide World Wide Web services • Configure an extended access list to protect the DMZ network • GAD(config)#access-list 111 permit ip 10.1.1.0 0.0.0.255 any • GAD(config)#access-list 111 deny ip any any • GAD(config)#interface ethernetfa0 • GAD(config-if)#ip access-group 111 in • Specify which traffic can enter the DMZ network. Traffic entering the DMZ network will be coming from either the Internet or the corporate network requesting World Wide Web services. • Configure an outbound extended access-list specifying that World Wide Web requests be allowed into the network. • GAD(config)#access-list 112 permit tcp any host 10.1.1.10 eqwww • What command would be entered to allow • DNS, Email and FTP requests into the DMZ? • For management purposes, it would be useful to let corporate users ping the Web Serverbut not for Internet users. • GAD(config)#access-list 112 permit icmp 10.10.10.0 0.0.0.255 host 10.1.1.10 • GAD(config)#access-list 112 deny ip any any • GAD(config)#interface faethernet 0 • GAD(config-if)#ip access-group 112 out 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

  16. Deter Spoofing • Spoofing - A common method to attempt to forge a valid internal source IP addresses. • To deter spoofing, it is decided to configure an access list so that Internet hosts cannot easily spoof an internal network addresses. • Three common source IP addresses that hackers attempt to forge are valid internal addresses (e.g., 10.10.10.0), loopback addresses (i.e.,127.x.x.x), and multicast addresses (i.e., 224.x.x.x – 239.x.x.x). • GAD(config)#access-list 121 deny ip 10.10.10.0 0.0.0.255 any • GAD(config)#access-list 121 deny ip 127.0.0.0 0.255.255.255 any • GAD(config)#access-list 121 deny ip 224.0.0.0 31.255.255.255 any • GAD(config)#access-list 121 permit ip any any • GAD(config)#interface serial 0 • GAD(config-if)#ip access-group 121 in 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

More Related