310 likes | 526 Views
Network Security Topologies. Jason Kennedy March 23, 2004. Network Security Topics . Perimeter Security Topologies Demilitarized zone (DMZ) Network Address Translation Tunneling Virtual Local Area Networks. Perimeter Security Topologies.
E N D
Network SecurityTopologies Jason Kennedy March 23, 2004
Network Security Topics • Perimeter Security Topologies • Demilitarized zone (DMZ) • Network Address Translation • Tunneling • Virtual Local Area Networks
Perimeter Security Topologies Perimeter networks permit communication between the organization and third parties. Technology closely related to perimeter networks is network address translation (NAT). ……….
Perimeter ……. It is critical to create a strong network perimeter that protects internal resources from threats outside the org. Problems can occur from: • The internet (no power to enforce security) • External networks (business partners, customers, suppliers) • Need to block undesirable network traffic
Perimeter • Goal is to selectively admit or deny traffic (or data flows) from other networks based on a number of criteria, such as: • Type of protocol • Source of request • Destination • Content • Admitted or denied based on companies security policy.
Security Policies, (firewall) • Enforced primarily by firewalls • Firewalls used to create choke points on the network perimeter. • Firewall inspects each packet for compliance with the security policy.
Three-tier Architecture • To have a successful network security perimeter, the firewall must be the gateway for all communications between trusted networks and untrusted and unknown networks. • Each network can contain multiple perimeter networks. • Three types: • The outermost perimeter • Internal perimeter • The innermost perimeter
Three-tier Architecture • Outermost • Identifies the separation point between the assets you control and the assets you don’t control. • This is the router you use to separate your network from your ISP’s network. • Internal • Represent additional boundaries where you have other security mechanisms in place. • Ex. When a manager creates a new policy, each network that makes up that topology must be classified as one of three types of networks: • Trusted • Semi – trusted • Untrusted
Three-tier Architecture • Trusted networks • Networks inside you network security perimeter • What you are trying to protect. • Semi – Trusted • Networks that allow users to gain access to some important database materials and email, and may include DNS, proxy, and modem servers. • Confident and proprietary info does not reside here. • Referred to as Demilitarized Zones (DMZ) (discuss later) • Untrusted Networks • Networks that are known to be outside of your security perimeter. External to your firewall. • No control over the administration or security policies.
Three-tier Architecture • The Outermost perimeter is the most insecure area of your network infrastructure. • Normally reserved for routers, firewalls, and public Internet servers, such as HTTP, FTP, and Gopher services • The easiest area to gain access to and therefore the most frequently attacked. • Sensitive company info should not be put in this area.
Creating and Developing your Security Design • Know your enemy • Consider who might attack • Identify motivations for an attack • What could they do? • Counting the Cost • Weigh costs against benefits • Identifying Any Assumptions • Don’t assume hackers know less than you
Creating and Developing your Security Design • Controlling Your Secrets • Use passwords and encryption keys • Have a limited number of secrets • Knowing Your Weaknesses • Understand system weak points • Areas of potential danger • Limiting the Scope of Access • Create barriers in your system, so if intruders attack one point of the system, they do not automatically have access to other points.
Creating and Developing your Security Design • Understanding Your Environment • Know what is expected and unexpected from your system. • Any traffic or patterns that stray from the norm should be investigated. • Limiting Your Trust • Know which software you rely on • S/W has bugs too!
Demilitarized zone (DMZ) • DMZ are areas that are within the autonomous system, but are not as tightly controlled as the network’s interior. • Used by companies that want to host its own Internet services, without sacrificing unauthorized access to it’s private network. • Sits between the Internet and an internal network’s line of defense, and is usually some combination of firewalls and bastion hosts. • Basically involves adding multiple firewall layers of security between the Internet and a companies critical data and business logic.
Demilitarized zone (DMZ) • A typical DMZ configuration includes: • Outer firewall b/t the Internet and the Web Server processing the requests originating on the company Web site. • Inner firewall b/t the Web Server and the appl. Server to which it is forwarding requests. Date resides behind this.
Demilitarized zone (DMZ) • How it works in a small business: • A separate computer receives requests from users within the private network for access to Web sites or other company resources on the public network. • The bastion host then initiates sessions for these requests on the public network. The bastion is not able to initiate a session back into the private network. It can only forward packets that have been requested. • Users on the public network outside the company can access only the hosts on the DMZ. They can only view your website. • Use filtering to impair an attacker’s ability to have a vulnerable host communicate to the attacker’s host.
Demilitarized zone (DMZ) • Other security tips: • Filter the source of the IP address to determine if its is one on the DMZ network. • Solid understanding of network traffic. • FTP and DNS initiate outbound connections. Special considerations should be given to these protocols.
Demilitarized zone (DMZ) • Intranet • A network topology or the application (Web portal) that enterprises use as a single point of access to deliver services to employees and business units. • Also called a campus network. • Main purpose is to share company info and company resources among employees. • Extranet • Private network that uses the Internet protocol and the public telecommunication system to securely share part of a business’s info or operations with suppliers, vendors, partners, customers, or other businesses. • For users outside of the company. • Requires firewall mgt., the use of digital certificates, encryption, and the use of VPNs.
Network Address Translation (NAT) • An Internet standard that enables a local area network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.
NAT………. • Serves two main purposes: • Provides a type of firewall by hiding internal IP addresses • Enables a company to use more internal IP addresses. • When communication between a privately addressed host and a public network (the Internet) is needed, address translation is required. This is where NAT comes in.
NAT Analogy • NAT is like the receptionist in a large office Let’s say you left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put the client through when he/she calls back. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that he/she is looking for you, the receptionist checks the lookup table that matches your name with your extension. The receptionist knows that you requested this call, and forwards you the call (message).
NAT… • NAT routers sit on the border between public and private networks. • NAT works by creating bindings between addresses. • Static NAT – a one to one mapping between public and private addresses. • Dynamic NAT – maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
Static NAT • In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110
Dynamic NAT • Edge devices that run dynamic NAT create binding “on the fly” by building a NAT table. • Connections initiated by private hosts are assigned a public address from a pool. • As long as the private hosts has an outgoing connection, it can be reached by incoming packets sent to this public address. • When the connection expires, the binding expires, and the address is returned to the pool for REUSE.
Dynamic NAT • In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.
Variation of dynamic NAT • Port Address Translation (PAT) • Used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers • Ex. Suppose private hosts 192.168.0.2 and 192.168.0.3 both send packets from source port 1108. A PAT router might translate these to a single public IP address 206.245.160.1 and two different source ports, lets say 61001 and 61002. Response traffic received for port 61001 is routed back to 192.168.0.2:1108, while port 61002 traffic is routed back to 192.168.0.3:1108. • Commonly implemented on Small Office / Home Office routers (SOHO)
Tunneling • Technology that enables a network to securely send its data through an untrusted or shared network infrastructure. • Works by encrypting and encapsulating the secured traffic within packets carried by the second network. • VPN is the best known example of tunneling • “Tunnel” is actually an agreement between routers on how the data is encrypted.
VLAN • Virtual local area networks • A way of dividing a single physical network switch among multiple network segments or broadcast domains. • Ability to configure multiple LANs on a single switch • Trunk – allows switches to share many VLANs over a single physical link • Routers needed to make different VLANs talk