Network Security Topologies

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

54 εμφανίσεις

Network Security Topologies

Chapter 11

Learning Objectives


Identify place and role of the demilitarized
zone


NAT and PAT


Tunneling in network security


Describe security features of VLANS


Network perimeter’s importance to an
organization’s security policies


Perimeter Security Topologies


Any network

that is connected (directly or
indirectly) to your organization, but is not
controlled by your organization, represents a risk.


Firewalls deployed on the network edge enforce
security policies and create choke points on
network perimeters.


Include demilitarized zones (DMZs) extranets,
and intranets

continued…

Perimeter Security Topologies


The firewall must be the gateway for all
communications between trusted networks,
untrusted and unknown networks.


The firewall should selectively admit or deny
data flows from other networks based on several
criteria:


Type (protocol)


Source


Destination


Content

Three
-
tiered Architecture


Outermost perimeter


Router used to separate
network from ISP’s
network


Identifies separation point
between assets you control
and those you do not


Most insecure area of a
network infrastructure


Normally reserved for
routers, firewalls, public
Internet servers (HTTP,
FTP, Gopher)


Not for sensitive company
information that is for
internal use only

Three
-
tiered Architecture


Outermost perimeter



Internal perimeters


Represent additional
boundaries where other
security measures are in
place


multiple internal
perimeters are relative to a
particular asset, such as the
internal perimeter that is
just inside the firewall.



Innermost perimeter

Network Classifications


When a network manager
creates a network security
policy, each network that
makes up the topology
must be classified as one
of three types of
networks:


Trusted


Semi
-
trusted


Untrusted

Trusted Networks


When you set up the firewall, you
explicitly identify the type of
networks via network adapter cards.
After the initial configuration, the
trusted networks include the firewall
and all networks behind it.


VPNs are exceptions
-

security
mechanisms must exist by which the
firewall can authenticate the origin,
data integrity, and other security
principles contained within the
network traffic according to the same
security principles enforced on your
trusted networks.

Semi
-
Trusted Networks


Allow access to some
database materials and e
-
mail


May include DNS, proxy,
and modem servers


Not for confidential or
proprietary information


Referred to as the
demilitarized zone (DMZ)

Untrusted Networks


Outside your security
perimeter and control,
however you may still
need and want to
communicate with these
networks.


When you set up the
firewall, you explicitly
identify the untrusted
networks from which
that firewall can accept
requests.

Unknown Networks


Unknown networks are
neither trusted nor
untrusted


By default, all nontrusted
networks are considered
unknown networks


You can identify unknown
networks below the
Internet node and apply
more specialized policies
to those untrusted
networks.

Two Perimeter Networks


Positioning your firewall
between an internal and
external router provides
little additional protection
from attacks on either side,
but it greatly reduces the
amount of traffic that the
firewall must evaluate,
which can increase the
firewall's performance.

Creating and Developing Your
Security Design


Know your enemy


Security measures can’t stop all unauthorized tasks;
they can only make it harder.


The goal is to make sure that security controls are
beyond the attacker's ability or motivation.


Know the costs and weigh those costs against the
potential benefits.


Identify assumptions
-

For example, you might assume
that your network is not tapped, that attackers know less
than you do, that they are using standard software, or that
a locked room is safe.

Creating and Developing Your
Security Design


Control secrets
-

What knowledge would enable someone
to circumvent your system?


Know your weaknesses and how it can be exploited


Limit the scope of access
-

create appropriate barriers in
your system so that if intruders access one part of the
system, they do not automatically have access to the rest
of the system.


Understand your environment
-

Auditing tools can help
you detect those unusual events.


Limit your trust: people, software and hardware

DMZ


Used by a company to host its
own Internet services without
sacrificing unauthorized access
to its private network


Sits between Internet and
internal network’s line of
defense, usually some
combination of firewalls and
bastion hosts


Traffic originating from it
should be filtered

continued…

DMZ


Typically contains devices accessible to
Internet traffic


Web (HTTP) servers


FTP servers


SMTP (e
-
mail) servers


DNS servers


Optional, more secure approach to a simple
firewall; may include a proxy server

DMZ Design Goals


Minimize scope of damage


Protect sensitive data on the server


Detect the compromise as soon as possible


Minimize effect of the compromise on other
organizations


The bastion host is not able to initiate a session
back into the private network. It can only forward
packets that have already been requested.

DMZ Design Goals


A useful mechanism to meet goals is to add the
filtering of traffic initiated
from

the DMZ
network
to

the Internet, impairs an attacker's
ability to have a vulnerable host communicate to
the attacker's host


keep the vulnerable host from being exploited
altogether


keep a compromised host from being used as a traffic
-
generating agent in distributed denial
-
of
-
service
attacks.


The key is to limit traffic to only what is needed, and
to drop what is not required, even if the traffic is not a
direct threat to your internal network

DMZ Design Goals


Filtering DMZ traffic would identify


traffic coming in from the DMZ interface of
the firewall or


router that appears to have a source IP address
on a network other the DMZ network number
(spoofed traffic).


the firewall or router should be configured
to initiate a log message or rule alert to
notify administrator


Intranet


Typically a collection of all LANs inside the
firewall (
campus network
.)


Either a network topology or application (usually
a Web portal) used as a single point of access to
deliver services to employees


Shares company information and computing
resources among employees


Allows access to public Internet through firewalls
that screen communications in both directions to
maintain company security


continued…

Extranet


Private network that uses Internet protocol and
public telecommunication system to provide
various levels of accessibility to outsiders


Requires security and privacy


Firewall management


Issuance and use of digital certificates or other user
authentication


Encryption of messages


Use of VPNs that tunnel through the public network

Extranet


Companies can use an extranet to:


Exchange large volumes of data


Share product catalogs exclusively with wholesalers or those in
the trade


Collaborate with other companies on joint development efforts


Jointly develop and use training programs with other companies


Provide or access services provided by one company to a group
of other companies, such as an online banking application
managed by one company on behalf of affiliated banks


Share news of common interest exclusively with partner
companies


Network Address Translation (NAT)


Internet standard that enables a LAN to use
one set of IP addresses for internal traffic
and a second set for external traffic


Provides a type of firewall by hiding
internal IP addresses


Enables a company to use more internal IP
addresses.

NAT


Most often used to map IPs from
nonroutable private address spaces defined
by RFC 1918 that either do not require
external access or require limited access to
outside services


A 10.0.0.0 … 10.255.255.255


B 172.16.0.0 … 172.31.255.255


C 192.168.0.0 … 192.168.255.255

NAT


Static NAT and dynamic NAT


Dynamic NAT is more complex because state
must be maintained, and connections must be
rejected when the pool is exhausted.


Unlike static NAT, dynamic NAT enables
address reuse, reducing the demand for legally
registered public addresses.

PAT


Port Address Translation (PAT)


Variation of dynamic NAT


Allows many hosts to share a single IP address by multiplexing
streams differentiated by TCP/UDP port numbers


suppose private hosts 192.168.0.2 and 192.168.0.3 both send
packets from source port 1108. A PAT router might translate
these to a single public IP address 206.245.160.1 and two
different source ports, say 61001 and 61002.


Because PAT maps individual ports, it is not possible to "reverse
map" incoming connections for other ports unless another table is
configured

PAT and NAT


In some cases, static NAT, dynamic NAT, PAT, and even
bidirectional NAT or PAT may be used together


Web servers can be reached from the Internet without NAT,
because they live in public address space.


Simple Mail Transfer Protocol (SMTP) must be continuously
accessible through a public address associated with DNS entry,
the mail server requires static mapping (either a limited
-
purpose
virtual server table or static NAT).


For most clients, public address sharing is usually practical
through dynamically acquired addresses (either dynamic NAT
with a correctly sized address pool, or PAT).


Applications that hold onto dynamically acquired addresses for
long periods could exhaust a dynamic NAT address pool and
block access by other clients. To prevent this, PAT is used
because it enables higher concurrency (thousands of port
mappings per IP address)

Tunneling


Enables a network to securely send its data through untrusted/shared
network infrastructure


Encrypts and encapsulates a network protocol within packets carried
by second network


Replacing WAN links because of security and low cost


An option for most IP connectivity requirements

Example of a Tunnel



a router with Internet Protocol Security (IPSec) encryption
capabilities is deployed as a gateway on each LAN's Internet
connection.


The routers are configured for a point
-
to
-
point VPN tunnel, which
uses encryption to build a virtual connection between the two offices.


When a router sees traffic on its LAN that is destined for the VPN, it
communicates to the other side instructing it to build the tunnel


Once the two routers have negotiated a secure encrypted connection,
traffic from the originating host is encrypted using the agreed
-
upon
settings and sent to the peer router.

Virtual Local Area Networks (VLANs)


Deployed using network
switches


Used throughout
networks to segment
different hosts from each
other


Often coupled with a
trunk, which allows
switches to share many
VLANs over a single
physical link

Benefits of VLANs


Network flexibility


Scalability


Increased
performance


Some security
features

Security Features of VLANs


Can be configured to group together users in same group
or team, no matter the location


Offer some protection when sniffers are inserted


Protect unused switch ports by moving them all to a
separate VLAN


Use an air gap to separate trusted from untrusted
networks:


Do not allow the same switch or network of switches to provide
connectivity to networks segregated by firewalls.


A switch that has direct connections to untrusted networks
(Internet) or semitrusted networks (DMZs), should never be used
to contain trusted network segments as well.

Vulnerabilities of VLAN Trunks


Trunk traffic does not pass through the router,
therefore no packet filtering.


Trunk autonegotiation


on by default


Prevention: Disable autonegotiation on all ports and
only allow trunk traffic on trunk ports


By default, trunk links are permitted to carry
traffic from all VLANs


Prevention: Manually configure all trunk links with
the VLANs that are permitted to traverse them
(Pruning)

Chapter Summary


Technologies used to create network
topologies that secure data and networked
resources


Perimeter networks


Network address translation (NAT)


Virtual local area networks (VLANs)