Network Security Topologies

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 7 months ago)

69 views

Network Security

Topologies

Jason Kennedy

March 23, 2004

Network Security

Topics



Perimeter Security Topologies


Demilitarized zone (DMZ)


Network Address Translation


Tunneling


Virtual Local Area Networks


Perimeter Security
Topologies

Perimeter networks permit communication
between the organization and third
parties.


Technology closely related to perimeter
networks is network address translation
(NAT). ……….

Perimeter …….


It is critical to create a strong network
perimeter that protects internal resources
from threats outside the org.

Problems can occur from:


The internet (no power to enforce security)


External networks (business partners,
customers, suppliers)


Need to block undesirable network traffic

Perimeter



Goal is to selectively admit or deny traffic
(or data flows) from other networks
based on a number of criteria, such as:


Type of protocol


Source of request


Destination


Content


Admitted or denied based on companies
security policy.

Security Policies,
(firewall)



Enforced primarily by firewalls



Firewalls used to create choke points on
the network perimeter.



Firewall inspects each packet for
compliance with the security policy.

Three
-
tier Architecture


To have a successful network security perimeter, the
firewall must be the gateway for all communications
between trusted networks and untrusted and unknown
networks.


Each network can contain multiple perimeter networks.


Three types:


The outermost perimeter


Internal perimeter


The innermost perimeter


Three
-
tier Architecture


Outermost


Identifies the separation point between the assets you control and the
assets you don’t control.


This is the router you use to separate your network from your ISP’s
network.


Internal


Represent additional boundaries where you have other security
mechanisms in place.


Ex. When a manager creates a new policy, each network that makes
up that topology must be classified as one of three types of networks:


Trusted



Semi


trusted


Untrusted

Three
-
tier Architecture


Trusted networks


Networks inside you network security perimeter


What you are trying to protect.


Semi


Trusted


Networks that allow users to gain access to some important database
materials and email, and may include DNS, proxy, and modem
servers.


Confident and proprietary info does not reside here.


Referred to as Demilitarized Zones (DMZ) (discuss later)


Untrusted Networks


Networks that are known to be outside of your security perimeter.
External to your firewall.


No control over the administration or security policies.

Three
-
tier Architecture


The Outermost perimeter is the most insecure area of
your network infrastructure.


Normally reserved for routers, firewalls, and public
Internet servers, such as HTTP, FTP, and Gopher
services


The easiest area to gain access to and therefore the
most frequently attacked.


Sensitive company info should not be put in this area.

Creating and Developing
your Security Design

1.
Know your enemy


Consider who might attack


Identify motivations for an attack


What could they do?

2.
Counting the Cost


Weigh costs against benefits

3.
Identifying Any Assumptions


Don’t assume hackers know less than you


Creating and Developing
your Security Design

4.
Controlling Your Secrets


Use passwords and encryption keys


Have a limited number of secrets

5.
Knowing Your Weaknesses


Understand system weak points


Areas of potential danger

6.
Limiting the Scope of Access


Create barriers in your system, so if intruders attack one
point of the system, they do not automatically have access
to other points.

Creating and Developing
your Security Design

7.
Understanding Your Environment


Know what is expected and unexpected from your
system.


Any traffic or patterns that stray from the norm
should be investigated.

8.
Limiting Your Trust


Know which software you rely on


S/W has bugs too!


Demilitarized zone (DMZ)



DMZ are areas that are within the autonomous system, but are not
as tightly controlled as the network’s interior.


Used by companies that want to host its own Internet services,
without sacrificing unauthorized access to it’s private network.


Sits between the Internet and an internal network’s line of
defense, and is usually some combination of firewalls and bastion
hosts.


Basically involves adding multiple firewall layers of security
between the Internet and a companies critical data and business
logic.

Demilitarized zone (DMZ)



A typical DMZ configuration includes:


Outer firewall b/t the Internet and the Web Server processing
the requests originating on the company Web site.


Inner firewall b/t the Web Server and the appl. Server to which
it is forwarding requests. Date resides behind this.


Demilitarized zone (DMZ)



How it works in a small business:


A separate computer receives requests from users within the
private network for access to Web sites or other company
resources on the public network.


The bastion host then initiates sessions for these requests on
the public network. The bastion is not able to initiate a session
back into the private network. It can only forward packets that
have been requested.


Users on the public network outside the company can access
only the hosts on the DMZ. They can only view your website.



Use filtering to impair an attacker’s ability to have a
vulnerable host communicate to the attacker’s host.

Demilitarized zone (DMZ)



Other security tips:


Filter the source of the IP address to determine if its
is one on the DMZ network.


Solid understanding of network traffic.


FTP and DNS initiate outbound connections.
Special considerations should be given to these
protocols.

Demilitarized zone (DMZ)



Intranet


A network topology or the application (Web portal) that
enterprises use as a single point of access to deliver services
to employees and business units.


Also called a campus network.


Main purpose is to share company info and company
resources among employees.


Extranet


Private network that uses the Internet protocol and the public
telecommunication system to securely share part of a
business’s info or operations with suppliers, vendors, partners,
customers, or other businesses.


For users outside of the company.


Requires firewall mgt., the use of digital certificates,
encryption, and the use of VPNs.

Network Address
Translation (NAT)


An Internet standard that enables a local area network
to use one set of IP addresses for internal traffic and a
second set of addresses for external traffic.

NAT……….


Serves two main purposes:

1.
Provides a type of firewall by hiding internal IP addresses

2.
Enables a company to use more internal IP addresses.


When communication between a privately addressed
host and a public network (the Internet) is needed,
address translation is required. This is where NAT
comes in.

NAT Analogy


NAT is like the receptionist in a large office

Let’s say you left instructions with the receptionist not to forward any
calls to you unless you request it.

Later on, you call a potential client and leave a message for that
client to call you back.

You tell the receptionist that you are expecting a call from this client
and to put the client through when he/she calls back.

The client calls the main number to your office, which is the only
number the client knows.

When the client tells the receptionist that he/she is looking for you,
the receptionist checks the lookup table that matches your name
with your extension.

The receptionist knows that you requested this call, and forwards you
the call (message).


NAT…


NAT routers sit on the border between public and
private networks.


NAT works by creating bindings between addresses.


Static NAT


a one to one mapping between public and
private addresses.


Dynamic NAT


maps an unregistered IP address to a
registered IP address from a group of registered IP
addresses.

Static NAT



In static NAT, the computer with the IP address of
192.168.32.10 will always translate to 213.18.123.110

Dynamic NAT


Edge devices that run dynamic NAT create binding “on
the fly” by building a NAT table.


Connections initiated by private hosts are assigned a
public address from a pool.


As long as the private hosts has an outgoing
connection, it can be reached by incoming packets
sent to this public address.


When the connection expires, the binding expires, and
the address is returned to the pool for REUSE.

Dynamic NAT


In dynamic NAT, the computer with the IP address
192.168.32.10 will translate to the first available
address in the range from 213.18.123.100 to
213.18.123.150.


Variation of dynamic NAT


Port Address Translation (PAT)


Used to allow many hosts to share a single IP address by
multiplexing streams differentiated by TCP/UDP port numbers


Ex. Suppose private hosts 192.168.0.2 and 192.168.0.3 both
send packets from source port 1108. A PAT router might
translate these to a single public IP address 206.245.160.1
and two different source ports, lets say 61001 and 61002.
Response traffic received for port 61001 is routed back to
192.168.0.2:1108, while port 61002 traffic is routed back to
192.168.0.3:1108.


Commonly implemented on Small Office / Home Office
routers (SOHO)

Tunneling


Technology that enables a network to securely send its
data through an untrusted or shared network
infrastructure.


Works by encrypting and encapsulating the secured
traffic within packets carried by the second network.


VPN is the best known example of tunneling


“Tunnel” is actually an agreement between routers on
how the data is encrypted.

VLAN



Virtual local area networks


A way of dividing a single physical network switch among
multiple network segments or broadcast domains.


Ability to configure multiple LANs on a single switch


Trunk


allows switches to share many VLANs over a
single physical link


Routers needed to make different VLANs talk


Any Questions?