790 likes | 819 Views
Data Center Network Infrastructure and Security Topics. Best practices.
E N D
Best practices • Best Practice is a management idea which asserts that there is a technique, method, process, activity, incentive or reward that is more effective at delivering a particular outcome than any other technique, method, process, etc. • The idea is that with proper processes, checks, and testing, a project can be rolled out and completed with fewer problems and unforeseen complications.
Network Infrastructure • Communications in data centers today are most often based on networks running the IP protocol suite. • Data centers contain a set of routers and switches that transport traffic between the servers and to the outside world. • Redundancy is sometimes provided by getting the network connections from multiple vendors. • Some of the servers at the data center are used for running the basic Internet and intranet services needed by internal users in the organization: email servers, proxy servers, DNS servers, etc.
Network Infrastructure • Some of the servers at the data center are used for running the basic Internet and intranet services needed by internal users in the organization • email servers • proxy servers • DNS servers
Network Infrastructure • Network security elements are also usually deployed • Firewalls • VPN gateways • Intrusion detection systems • Also common are monitoring systems for the network and some of the applications. • Additional offsite monitoring systems are also typical, in case of a failure of communications inside the data center.
Applications • The main purpose of a data center is running the applications that handle the core business and operational data of the organization. • Such systems may be proprietary and developed internally by the organization, or bought from enterprise software vendors. • Such common applications are ERP and CRM systems.
ERP • Enterprise Resource Planning systems (ERPs) integrate (or attempt to integrate) all data and processes of an organization into a unified system. • A typical ERP system will use multiple components of computer software and hardware to achieve the integration. • A key ingredient of most ERP systems is the use of a unified database to store data for the various system modules.
CRM • Customer relationship management (CRM) is a broad term that covers concepts used by companies to manage their relationships with customers, including the capture, storage and analysis of customer information.
Aspects of CRM • There are four aspects of CRM, each of which can be implemented in isolation: • Active CRM: Centralized database which facilitates organization of data and automate business processes and common tasks. • Operational CRM: automation or support of customer processes that include a company’s sales or service representatives • Collaborative CRM: direct communication with customers that does not include a company’s sales or service representatives (“self service”) • Analytical CRM: analysis of customer data for a broad range of purposes
CRM: Technology considerations • The technology requirements of a CRM strategy are very complex and far reaching. The basic building blocks include: • A database to store customer information. This can be a CRM specific database or an enterprise data warehouse. • Operational CRM requires customer agent support software. • Collaborative CRM requires customer interaction systems, eg an interactive website, automated phone systems etc. • Analytical CRM requires statistical analysis software, as well as software that manages any specific marketing campaigns. • Support CRM systems require interactive chat software to provide live help and support to web site visitors.
CRM: Privacy and Data Security • The data gathered as part of CRM must consider customer privacy and data security. Customers want the assurance that their data is not shared with 3rd parties without their consent and not accessed illegally by 3rd parties. • Customers also want their data used by companies to provide a benefit for them.
DMZ • In computer security terminology, a DMZ is a network area that sits between an organization's internal network and an external network, usually the Internet. • Typically, the DMZ contains devices accessible to Internet traffic, such as • Web (HTTP ) servers • FTP servers • SMTP (e-mail) servers • DNS servers.
DMZ • In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet.
DMZ • The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network.
DMZ • This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.
DMZ • Connections from the external network to the DMZ are usually controlled using port address translation (PAT).
PAT • Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between a host and port on an outside network, and a host and port on an inside network. It allows a single IP address to be used for many internal hosts. PAT may allow one public IP address to handle communication for 65536 inside hosts. • A PAT device can transparently and automatically modify the IP packets' destination or source host IP and port fields belonging to its internal hosts.
PAT • PAT is closely related to the concept of Network Address Translation, often called NAT. • Similar to NAT, port translation makes changes to the sender’s address or recipient’s address on data packets. • However, any IP address change involves the PAT device’s outside IP address rather than a pool of addresses as in NAT.
PAT • PAT translates both the IP and port fields -- wherever those values belong to an internal host. • Port numbers on packets coming from the external network, rather than destination IP addresses, are used to identify and designate traffic to different computers on the inside network.
PAT • Server (public) IP addresses have worldwide significance and ports have significance that depend on the particular type of communication desired (e.g. web, email, FTP). • The significance of the IP address on an internal host however needs only to be limited to the organizational entity where it resides. Thus private addresses as given in RFC 1918 may be used. • Additionally, the port number of a client application on a client host is significant only to that particular host. • Consequently within an organization any communicating client application can be uniquely identified by the combination of its host IP (organizational significance) and host port (host only significance).
PAT • A PAT device is like a post office that delivers box mail: outgoing envelopes are changed to appear to come from a post office box; incoming envelopes addressed to a valid post office box are changed to have the real street address of the box holder.
PAT • PAT can only translate/replace IP addresses and ports for its internal hosts. • As a consequence of its function it effectively hides the true endpoint IP address and port of the internal hosts. • However, PAT must of course leave the public IP address and port information of the external host unmodified.
PAT • Port translation allows many computers to share a single IP address. • The PAT device periodically deletes translations from its table when they no longer appear to be in use. • Because the port number field is a 16-bit unsigned number (0-65535), the likelihood of an inside computer not being able to send outside traffic is greatly reduced.
PAT • The PAT operation is typically invisible to both the internal and external hosts. • Typically the internal host is aware of the true IP address and TCP or UDP port of the external host. • Typically the PAT device may function as the default gateway for the internal host. • However the external host is only aware of the public IP address for the PAT device and the particular port being used to communicate on behalf of a specific internal host.
PAT • The PAT device usually sits at the network perimeter where one side connects to the external network, usually the public Internet • On the other side is internal network, usually with private IP addressing.
PAT • Firewall systems and multi-port broadband network access devices (e.g. ADSL routers, cable modems) tend to use PAT. • In the configuration of those devices, the outside network is the Internet and the inside network is the LAN.
PAT • Advantage: • PAT's main advantage is that multiple internal hosts can share a single IP address for communication. • Disadvantage: • Only a single public service e.g. port 80 HTTP, can be exposed per public IP address. • Thus an organization using PAT and a single IP cannot easily run more than one of the same type of public service behind a PAT e.g. two public web servers using the default port 80.
NAT • The process of network address translation (NAT, also known as network masquerading, native address translation or IP-masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. • Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). • According to specifications, routers should not act in this way, but many network administrators find NAT a convenient technique and use it widely. • Nonetheless, NAT can introduce complications in communication between hosts.
NAT • In a typical configuration, a local network uses one of the designated "private" IP address subnets (the RFC 1918 Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x), and a router on that network has a private address (such as 192.168.0.1) in that address space. • The router is also connected to the Internet with a single "public" address (known as "overloaded" NAT) or multiple "public" addresses assigned by an ISP. • As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es).
NAT • The router tracks basic data about each active connection (particularly the destination address and port). • When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; • the TCP or UDP client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. • To a system on the Internet, the router itself appears to be the source/destination for this traffic.
NAT • Drawbacks: • Hosts behind a NAT-enabled router do not have true end-to-end connectivity and cannot participate in some Internet protocols. • Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. • Use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in the headers which interfere with the integrity checks done by IPsec and other tunneling protocols
NAT • In addition to the convenience and low cost of NAT, the lack of full bidirectional connectivity can be regarded in some situations as a feature rather than a limitation. • To the extent that NAT depends on a machine on the local network to initiate any connection to hosts on the other side of the router, it prevents malicious activity initiated by outside hosts from reaching those local hosts. • This can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans. Many NAT-enabled firewalls use this as the core of the protection they provide.
NAT • The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space. • Networks that previously required a Class B IP range or a block of Class C network addresses can now be connected to the Internet with as little as a single IP address (many home networks are set up this way). • The more common arrangement is having machines that require true bidirectional and unfettered connectivity supplied with a 'real' IP address, while having machines that do not provide services to outside users (e.g. a secretary's computer) tucked away behind NAT with only a few IP addresses used to enable Internet access.
NAT • Two kinds of network address translation exist. • The type popularly called simply "NAT" (also sometimes named "Network Address Port Translation" or "NAPT" or even PAT) refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address. • The other, technically simpler, form - also called NAT or "one-to-one NAT" or "basic NAT" or "static NAT" - involves only address translation, not port mapping. This requires an external IP address for each simultaneous connection. Broadband routers often use this feature, sometimes labelled "DMZ host", to allow a designated computer to accept all external connections even when the router itself uses the only available external IP address.
NAT • NAT with port-translation comes in two sub-types: • source address translation (source NAT), which re-writes the IP address of the computer which initiated the connection • destination address translation (destination NAT). • In practice, both are usually used together in coordination for two-way communication.
NAT • NAT traversal refers to a solution to the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks which use NAT devices. • This problem is typically faced by developers of client-to-client networking applications especially in peer-to-peer and VoIP. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets go through NAT. • Many techniques exist, but no technique works in every situation since NAT behavior is not standardized.
NAT • Many techniques require a public server on a well-known globally reachable IP address. • Some methods use the server only when establishing the connection (such as STUN), while • Others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency detrimental to conversational VoIP applications. • Most NAT behavior-based techniques fail to preserve enterprise security policies and break end-to-end transparency.
Some NAT types • With full cone NAT, also known as one-to-one NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. • An external host can send a packet to the internal host, by sending a packet to the mapped external address.
Some NAT types • With restricted cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. • Unlike a full cone NAT, an external host can send a packet to the internal host only if the internal host had previously sent a packet to it.
Some NAT types • Port restricted cone NAT or symmetric NAT is like a restricted cone NAT, but the restriction includes port numbers. • Specifically, an external host can send a packet to a particular port on the internal host only if the internal host had previously sent a packet from that port to the external host.
Some NAT types • With symmetric NAT all requests from the same internal IP address and port to a specific destination IP address and port are mapped to a unique external source IP address and port. • If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. • Only an external host that receives a packet can send a UDP packet back to the internal host.
NAT • Many NAT implementations follow a port preservation design. • For most communications, they will use the same values as internal and external port numbers. • If two internal hosts attempt to communicate with the same external host using the same port number, the external port number used by the second host will be chosen at random. • Such NAT will be sometimes perceived as restricted cone NAT and other times as symmetric NAT.
Firewall • A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization's security policy. • Firewalls can either be hardware and/or software based.
Firewall • A firewall's basic task is to control traffic between computer networks with different zones of trust. • Typical examples are the Internet which is a zone with no trust and an internal network which is (and should be) a zone with high trust. • The ultimate goal is to provide controlled interfaces between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle and separation of duties.
Firewall • A firewall is also called a Border Protection Device (BPD) in certain military contexts where a firewall separates networks by creating perimeter networks in a Demilitarized zone (DMZ). • In a BSD context they are also known as a packet filter. • A firewall's function is analogous to firewalls in building construction.
Firewall Types • There are three basic types of firewalls depending on: • Whether the communication is being done between a single node and the network, or between two or more networks. • Whether the communication is intercepted at the network layer, or at the application layer. • Whether the communication state is being tracked at the firewall or not.
Firewall Types • With regard to the scope of filtered communications there exist: • Personal firewalls, a software application which normally filters traffic entering or leaving a single computer. • Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). • Such a firewall filters all traffic entering or leaving the connected networks.
Firewall Types • In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist: • Network layer firewalls. • An example would be iptables. • Application layer firewalls. • An example would be TCP Wrappers. • Application firewalls. • An example would be restricting ftp services through /etc/ftpaccess file
Network Layer Firewall • A network layer firewall works as a packet filter by deciding what packets will pass the firewall according to rules defined by the administrator. • Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network protocols the packet contains. • Network layer firewalls tend to operate very fast, and transparently to users.
Network Layer Firewall • Network layer firewalls generally fall into two sub-categories, stateful and stateless. • Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only hosts inside the firewall can establish connections on a certain port). • Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between hosts have reached. • Stateless firewalls therefore offer less security. • Stateless firewalls somewhat resemble a router in their ability to filter packets.