550 likes | 667 Views
Guide to Network Defense and Countermeasures Second Edition. Chapter 10 Firewall Topology. Objectives. Explain the goal of securing the network perimeter Describe factors in choosing a bastion host Explain how to supplement a firewall with a proxy server
E N D
Guide to Network Defense and CountermeasuresSecond Edition Chapter 10 Firewall Topology
Objectives • Explain the goal of securing the network perimeter • Describe factors in choosing a bastion host • Explain how to supplement a firewall with a proxy server • Set up Network Address Translation (NAT) • Decide when to use user, session, or client authentication Guide to Network Defense and Countermeasures, Second Edition
Securing Network Perimeters • Goal is to provide adequate access without jeopardizing confidential or mission-critical areas • You need • Firewalls, IDSs, bastion host, Network Address Translation (NAT), proxy servers • Combined with authentication mechanisms • Bastion host • Provides Web, FTP, e-mail, or other services running on a specially secured server Guide to Network Defense and Countermeasures, Second Edition
Choosing a Bastion Host • Security software does not operate on its own • You install it on a computer • Bastion host • Computer that sits on the network perimeter • Has been specially protected through OS patches, authentication, and encryption Guide to Network Defense and Countermeasures, Second Edition
General Requirements • Steps in creating a bastion host • Select sufficient memory and processor speed • Choose and install OS and any patches or updates • Determine where the bastion host will fit in the network configuration • Install services you want to provide • Remove services and accounts that aren’t needed. • Back up the system and all data on it • Run a security audit • Connect the machine to the network Guide to Network Defense and Countermeasures, Second Edition
Selecting the Bastion Host Machine • Select familiar hardware and software • Ideal situation • One bastion host for each service you want to provide • Can be prohibitively expensive • Operating system • Pick a version that is stable and secure • Check OS Web site for patches and updates Guide to Network Defense and Countermeasures, Second Edition
Selecting the Bastion Host Machine (continued) • Memory and processor speed • Memory is always important when operating a server • Bastion host might provide only a single service • Does not need gigabytes of RAM • Match processing power to server load • You might have to add processor • Location on the network • Typically located outside the internal network • Combined with packet-filtering devices • Multiple bastion hosts are set up in the DMZ Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Hardening the Bastion Host • Selecting services to provide • Close unnecessary ports • Disable unnecessary user accounts and services • Reduces chances of being attacked • Disable routing or IP forwarding services • Do not remove dependency services • System needs them to function correctly Guide to Network Defense and Countermeasures, Second Edition
Hardening the Bastion Host (continued) • Using honeypots • Honeypot • Computer placed on the network perimeter • Attracts attackers away from critical servers • Appears real • Network security experts are divided about honeypots • Laws on the use of honeypots are confusing at best • Another goal of a honeypot is logging • Logs are used to learn about attackers techniques Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Hardening the Bastion Host (continued) • Disabling user accounts • Default accounts are created during OS installation • Disable all user accounts from the bastion host • Users should not be able to connect to it • Rename the Administrator account • Passwords at least 6-8 alphanumeric characters Guide to Network Defense and Countermeasures, Second Edition
Handling Backups and Auditing • Essential steps in hardening a computer • Backups • Detailed recordkeeping • Auditing • Copy log files to other computers in your network • Check these files for viruses • Audit all failed and successful attempts to log on to the bastion host • And any attempts to access or change files Guide to Network Defense and Countermeasures, Second Edition
Working with Proxy Servers • Proxy server • Software product • Forwards packets to and from the network being protected • Caches Web pages to speed up network performance Guide to Network Defense and Countermeasures, Second Edition
Goals of Proxy Servers • Original goal • Speed up network communications • Information is retrieved from proxy cache instead of the Internet • If information has not changed at all • Other goals • Provide security at the application layer • Shield hosts on the internal network • Control Web sites users are allowed to visit Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
How Proxy Servers Work • Proxy server goal • Prevent a direct connection between an external computer and an internal computer • Proxy servers work at the application layer • Opens the packet and examines the data • Decides to which application it should forward the packet • Reconstructs the packet and forwards it • Replace the original header with a new header • Containing proxy’s own IP address Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
How Proxy Servers Work (continued) • Proxy server receives traffic before it goes to the Internet • Client programs are configured to connect to the proxy server instead of the Internet • Web browser • E-mail applications Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Choosing a Proxy Server • Different proxy servers perform different functions • Freeware proxy servers • Often described as content filters • Do not have features for business applications • Example: Squid • Commercial proxy servers • Offer Web page caching, source and destination IP addresses translation, content filtering, and NAT • Example: Microsoft ISA Server Guide to Network Defense and Countermeasures, Second Edition
Choosing a Proxy Server (continued) • Proxy servers that can include firewall functions • Having an all-in-one program simplifies life • Disadvantages • Single point of failure • Try to use several software and hardware products to protect your network Guide to Network Defense and Countermeasures, Second Edition
Filtering Content • Proxy servers can open packets and examine data • Proxy servers can filter out content • That would otherwise appear in a user’s Web browser • Can block Web sites with content your users should not be viewing • Can also drop executable programs • Java applets • ActiveX controls Guide to Network Defense and Countermeasures, Second Edition
Using Network Address Translation (NAT) • Network Address Translation (NAT) • Go-between • Receives requests at its own IP address and forwards them to the correct IP address • A NAT-enable device is the only one that needs a public IP address • Essential functions many firewalls or routers perform • Shields IP addresses of internal hosts • NAT modes • Hide-mode and static mapping Guide to Network Defense and Countermeasures, Second Edition
Hide-Mode Mapping • Process of having multiple IP addresses behind one public IP address • Dynamic Host Configuration Protocol (DHCP) • Enables IP addresses to be assigned dynamically among hosts on a network • Disadvantages • Cannot hide all clients behind a single IP address • Does not work with some types of VPNs • Cannot provide more than one service with a single IP address Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Static Mapping • Internal IP addresses are mapped to external, routable IP addresses • On a one-to-one basis • Internal IP addresses are still hidden • Computers appear to have public addresses • All addresses are static Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Authenticating Users • Authentication • Identify users authorized to access the network • Important role in firewall or other security configurations • Depends on the exchange of information • Password • Key • Checksum • Smart card Guide to Network Defense and Countermeasures, Second Edition
Step 1: Deciding What to Authenticate • User authentication • Identify person authorized to access network • Users submit credentials and log on to the network • Can be automatic and based on key exchange • Define an user and assign it to a group • Set access rules for that group • Other restrictions • IP addresses • Time-based restrictions Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 1: Deciding What to Authenticate (continued) • Client authentication • Grant access to network resources based on • Source IP address • Computer MAC address • Computer name • Identification can be automatic or manual • Manual requires extra effort but offers more security • Knowing a username and password is not enough • User must log on from an authorized IP address Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 1: Deciding What to Authenticate (continued) • Session authentication • Authorize user or computer on a per-connection basis • Uses special authentication software on the client • Exchanges information with the firewall • Gives the user more flexibility than user or client authentication Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 2: Deciding How to Authenticate • Password Security • User name and password compared against a database of approved users • Simplest and most straightforward authentication • Password systems • OS password • Firewall password • S/Key password • SecureID Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 2: Deciding How to Authenticate (continued) • Smart cards and tokens • Two-factor authentication • Combines objects the user posses with passwords • Most common objects used in authentication • Smart cards • Tokens • Smart cards • Similar to ATM cards • Tokens • Objects that enable users to authenticate themselves • Examples :Smart cards, handhelds, key fobs Guide to Network Defense and Countermeasures, Second Edition
Step 2: Deciding How to Authenticate (continued) • Exchanging public and private keys • Password is a code used to authenticate yourself • Computers can also authenticate each other • Exchanging codes • Code can be long and complicated • Called keys • Keys • Blocks of encrypted code generated by algorithms • Public key cryptography • Authenticates by exchanging public and private keys Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 2: Deciding How to Authenticate (continued) • Digital signatures • Message recipient can authenticate sender’s identity • One-way hash function • Called a message digest • Code of fixed-length • Results from processing a message through a mathematical function • One-way hash function characteristics • Value is unique for the hashed data • Data cannot be deduced from the hash Guide to Network Defense and Countermeasures, Second Edition
Step 2: Deciding How to Authenticate (continued) • Digital signatures • Signing software creates a hash of the message • And encrypts it using your private key • Validation process • Recipient uses signer’s public key to decrypt the hash • Computes hash value of received message • Using same hashing algorithm as the sender • Compares hash values Guide to Network Defense and Countermeasures, Second Edition
Step 3: Putting It All Together • S-HTTP • Secure Hypertext Transfer Protocol (S-HTTP) • Encrypts communication between a Web server and a Web browser • Using Secure Socket Layer (SSL) or Transport Layer Security (TLS) • SSL encrypts data portion of a packet not the header • Firewall can still filter and route it • SSL does not provide user authentication Guide to Network Defense and Countermeasures, Second Edition
Step 3: Putting It All Together (continued) • IPSec/IKE • IPSec encrypts communications at network layer of OSI model • Widely used • NAT can interfere with IPSec • Internet Key Exchange (IKE) • Allows exchange of public and private keys • Internet Security Association Key Management Protocol (ISAKMP) • Enables two computers to agree on security settings Guide to Network Defense and Countermeasures, Second Edition
Step 3: Putting It All Together (continued) • Dial-in Authentication: RADIUS and TACACS+ • Terminal Access Controller Access Control System (TACACS+) • Called “Tac-plus” • Authentication protocols developed by Cisco Systems • Uses MD5 to produce an encrypted digest version of transmitted data Guide to Network Defense and Countermeasures, Second Edition
Step 3: Putting It All Together (continued) • Dial-in Authentication: RADIUS and TACACS+ • Remote Authentication Dial-In User Service (RADIUS) • Provides less security than TACACS+ • More widely supported • Transmits authentication packets unencrypted across the network • Vulnerable to packet sniffing Guide to Network Defense and Countermeasures, Second Edition
Summary • Modern networks require a variety of services • Firewalls cannot secure a network alone • Bastion host • Computer on the network perimeter • Specially protected through OS patches, authentication, and encryption • Proxy server • Forwards packets to and from the network • Caches Web pages to speed up network performance Guide to Network Defense and Countermeasures, Second Edition