Network Security Topologies

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 4 χρόνια και 6 μήνες)

91 εμφανίσεις

Network Security Topologies

Chapter 11

Learning Objectives

Identify place and role of the demilitarized


Tunneling in network security

Describe security features of VLANS

Network perimeter’s importance to an
organization’s security policies

Perimeter Security Topologies

Any network

that is connected (directly or
indirectly) to your organization, but is not
controlled by your organization, represents a risk.

Firewalls deployed on the network edge enforce
security policies and create choke points on
network perimeters.

Include demilitarized zones (DMZs) extranets,
and intranets


Perimeter Security Topologies

The firewall must be the gateway for all
communications between trusted networks,
untrusted and unknown networks.

The firewall should selectively admit or deny
data flows from other networks based on several

Type (protocol)




tiered Architecture

Outermost perimeter

Router used to separate
network from ISP’s

Identifies separation point
between assets you control
and those you do not

Most insecure area of a
network infrastructure

Normally reserved for
routers, firewalls, public
Internet servers (HTTP,
FTP, Gopher)

Not for sensitive company
information that is for
internal use only

tiered Architecture

Outermost perimeter

Internal perimeters

Represent additional
boundaries where other
security measures are in

multiple internal
perimeters are relative to a
particular asset, such as the
internal perimeter that is
just inside the firewall.

Innermost perimeter

Network Classifications

When a network manager
creates a network security
policy, each network that
makes up the topology
must be classified as one
of three types of




Trusted Networks

When you set up the firewall, you
explicitly identify the type of
networks via network adapter cards.
After the initial configuration, the
trusted networks include the firewall
and all networks behind it.

VPNs are exceptions

mechanisms must exist by which the
firewall can authenticate the origin,
data integrity, and other security
principles contained within the
network traffic according to the same
security principles enforced on your
trusted networks.

Trusted Networks

Allow access to some
database materials and e

May include DNS, proxy,
and modem servers

Not for confidential or
proprietary information

Referred to as the
demilitarized zone (DMZ)

Untrusted Networks

Outside your security
perimeter and control,
however you may still
need and want to
communicate with these

When you set up the
firewall, you explicitly
identify the untrusted
networks from which
that firewall can accept

Unknown Networks

Unknown networks are
neither trusted nor

By default, all nontrusted
networks are considered
unknown networks

You can identify unknown
networks below the
Internet node and apply
more specialized policies
to those untrusted

Two Perimeter Networks

Positioning your firewall
between an internal and
external router provides
little additional protection
from attacks on either side,
but it greatly reduces the
amount of traffic that the
firewall must evaluate,
which can increase the
firewall's performance.

Creating and Developing Your
Security Design

Know your enemy

Security measures can’t stop all unauthorized tasks;
they can only make it harder.

The goal is to make sure that security controls are
beyond the attacker's ability or motivation.

Know the costs and weigh those costs against the
potential benefits.

Identify assumptions

For example, you might assume
that your network is not tapped, that attackers know less
than you do, that they are using standard software, or that
a locked room is safe.

Creating and Developing Your
Security Design

Control secrets

What knowledge would enable someone
to circumvent your system?

Know your weaknesses and how it can be exploited

Limit the scope of access

create appropriate barriers in
your system so that if intruders access one part of the
system, they do not automatically have access to the rest
of the system.

Understand your environment

Auditing tools can help
you detect those unusual events.

Limit your trust: people, software and hardware


Used by a company to host its
own Internet services without
sacrificing unauthorized access
to its private network

Sits between Internet and
internal network’s line of
defense, usually some
combination of firewalls and
bastion hosts

Traffic originating from it
should be filtered



Typically contains devices accessible to
Internet traffic

Web (HTTP) servers

FTP servers

mail) servers

DNS servers

Optional, more secure approach to a simple
firewall; may include a proxy server

DMZ Design Goals

Minimize scope of damage

Protect sensitive data on the server

Detect the compromise as soon as possible

Minimize effect of the compromise on other

The bastion host is not able to initiate a session
back into the private network. It can only forward
packets that have already been requested.

DMZ Design Goals

A useful mechanism to meet goals is to add the
filtering of traffic initiated

the DMZ

the Internet, impairs an attacker's
ability to have a vulnerable host communicate to
the attacker's host

keep the vulnerable host from being exploited

keep a compromised host from being used as a traffic
generating agent in distributed denial

The key is to limit traffic to only what is needed, and
to drop what is not required, even if the traffic is not a
direct threat to your internal network

DMZ Design Goals

Filtering DMZ traffic would identify

traffic coming in from the DMZ interface of
the firewall or

router that appears to have a source IP address
on a network other the DMZ network number
(spoofed traffic).

the firewall or router should be configured
to initiate a log message or rule alert to
notify administrator


Typically a collection of all LANs inside the
firewall (
campus network

Either a network topology or application (usually
a Web portal) used as a single point of access to
deliver services to employees

Shares company information and computing
resources among employees

Allows access to public Internet through firewalls
that screen communications in both directions to
maintain company security



Private network that uses Internet protocol and
public telecommunication system to provide
various levels of accessibility to outsiders

Requires security and privacy

Firewall management

Issuance and use of digital certificates or other user

Encryption of messages

Use of VPNs that tunnel through the public network


Companies can use an extranet to:

Exchange large volumes of data

Share product catalogs exclusively with wholesalers or those in
the trade

Collaborate with other companies on joint development efforts

Jointly develop and use training programs with other companies

Provide or access services provided by one company to a group
of other companies, such as an online banking application
managed by one company on behalf of affiliated banks

Share news of common interest exclusively with partner

Network Address Translation (NAT)

Internet standard that enables a LAN to use
one set of IP addresses for internal traffic
and a second set for external traffic

Provides a type of firewall by hiding
internal IP addresses

Enables a company to use more internal IP


Most often used to map IPs from
nonroutable private address spaces defined
by RFC 1918 that either do not require
external access or require limited access to
outside services

A …

B …

C …


Static NAT and dynamic NAT

Dynamic NAT is more complex because state
must be maintained, and connections must be
rejected when the pool is exhausted.

Unlike static NAT, dynamic NAT enables
address reuse, reducing the demand for legally
registered public addresses.


Port Address Translation (PAT)

Variation of dynamic NAT

Allows many hosts to share a single IP address by multiplexing
streams differentiated by TCP/UDP port numbers

suppose private hosts and both send
packets from source port 1108. A PAT router might translate
these to a single public IP address and two
different source ports, say 61001 and 61002.

Because PAT maps individual ports, it is not possible to "reverse
map" incoming connections for other ports unless another table is


In some cases, static NAT, dynamic NAT, PAT, and even
bidirectional NAT or PAT may be used together

Web servers can be reached from the Internet without NAT,
because they live in public address space.

Simple Mail Transfer Protocol (SMTP) must be continuously
accessible through a public address associated with DNS entry,
the mail server requires static mapping (either a limited
virtual server table or static NAT).

For most clients, public address sharing is usually practical
through dynamically acquired addresses (either dynamic NAT
with a correctly sized address pool, or PAT).

Applications that hold onto dynamically acquired addresses for
long periods could exhaust a dynamic NAT address pool and
block access by other clients. To prevent this, PAT is used
because it enables higher concurrency (thousands of port
mappings per IP address)


Enables a network to securely send its data through untrusted/shared
network infrastructure

Encrypts and encapsulates a network protocol within packets carried
by second network

Replacing WAN links because of security and low cost

An option for most IP connectivity requirements

Example of a Tunnel

a router with Internet Protocol Security (IPSec) encryption
capabilities is deployed as a gateway on each LAN's Internet

The routers are configured for a point
point VPN tunnel, which
uses encryption to build a virtual connection between the two offices.

When a router sees traffic on its LAN that is destined for the VPN, it
communicates to the other side instructing it to build the tunnel

Once the two routers have negotiated a secure encrypted connection,
traffic from the originating host is encrypted using the agreed
settings and sent to the peer router.

Virtual Local Area Networks (VLANs)

Deployed using network

Used throughout
networks to segment
different hosts from each

Often coupled with a
trunk, which allows
switches to share many
VLANs over a single
physical link

Benefits of VLANs

Network flexibility



Some security

Security Features of VLANs

Can be configured to group together users in same group
or team, no matter the location

Offer some protection when sniffers are inserted

Protect unused switch ports by moving them all to a
separate VLAN

Use an air gap to separate trusted from untrusted

Do not allow the same switch or network of switches to provide
connectivity to networks segregated by firewalls.

A switch that has direct connections to untrusted networks
(Internet) or semitrusted networks (DMZs), should never be used
to contain trusted network segments as well.

Vulnerabilities of VLAN Trunks

Trunk traffic does not pass through the router,
therefore no packet filtering.

Trunk autonegotiation

on by default

Prevention: Disable autonegotiation on all ports and
only allow trunk traffic on trunk ports

By default, trunk links are permitted to carry
traffic from all VLANs

Prevention: Manually configure all trunk links with
the VLANs that are permitted to traverse them

Chapter Summary

Technologies used to create network
topologies that secure data and networked

Perimeter networks

Network address translation (NAT)

Virtual local area networks (VLANs)