The whole goal of connecting networks is so
that people can share information.
The goal of perimeter security is to selectively
admit or deny data flows based on:
• Protocol
• Source
• Destination
• Content
Put in place using firewalls and routers on network edge
Permit secure communications between the
organization and third parties
Key enablers for many mission-critical network services
Include demilitarized zones (DMZs) extranets, and
intranets
The data flows that are allowed to enter, and
those that aren’t, are defined in an
organization’s security policy.
The security policy describes what type of
activities are permitted and what types are not.
40 trang |
Chia sẻ: candy98 | Lượt xem: 601 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Security + Certification - Chapter 8: Network Security Topologies - Athena, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 8
Network Security
Topologies
Objectives in this Chapter
Explain network perimeter’s importance to an
organization’s security policies
Identify place and role of the demilitarized zone in the
network
Explain how network address translation is used to help
secure networks
Spell out the role of tunneling in network security
Describe security features of virtual local area networks
ATHENA
Perimeter Security Topologies
The whole goal of connecting networks is so
that people can share information.
The goal of perimeter security is to selectively
admit or deny data flows based on:
• Protocol
• Source
• Destination
• Content
ATHENA
Perimeter Security Topologies
Put in place using firewalls and routers on network edge
Permit secure communications between the
organization and third parties
Key enablers for many mission-critical network services
Include demilitarized zones (DMZs) extranets, and
intranets
ATHENA
continued
Perimeter Security Topologies
The data flows that are allowed to enter, and
those that aren’t, are defined in an
organization’s security policy.
The security policy describes what type of
activities are permitted and what types are not.
ATHENA
Security Policies and Firewalls
These security policies are enforced primarily
with firewalls deployed at key boundaries in
the network, including the network perimeter.
Every packet entering or leaving is forced to
pass through a firewall, which checks it for
compliance with its rule set, discarding those
that don’t comply.
ATHENA
Multiple Perimeters
A network may contain multiple perimeters,
with different security levels:
• Outermost perimeter
• Internal perimeters
• Innermost perimeter
ATHENA
ATHENA
Outermost Perimeter
A router is used to separate network from ISP’s
network
Identifies separation point between assets you control
and those you do not
Most insecure area of a network infrastructure
Normally reserved for routers, firewalls, public
Internet servers (HTTP, FTP, DNS) (usually on the
DMZ)
Not for sensitive company information that is for
internal use only
ATHENA
Internal Perimeters
Represent additional boundaries where other
security measures are in place
Usually separated by firewalls
Used to separate areas with different security
levels and needs
ATHENA
Network Classifications
Trusted
Semi-trusted
Untrusted
ATHENA
Trusted Networks
Inside network security perimeter
The networks you are trying to protect
ATHENA
Semi-Trusted Networks
Allow access to some database materials and
e-mail
May include DNS, proxy, and modem (RAS)
servers, also DNS, web, and ftp
Not for confidential or proprietary
information
Referred to as the demilitarized zone (DMZ)
ATHENA
Untrusted Networks
Outside your security perimeter
Outside your control
You may need to communicate with some of
these networks – you configure your router,
firewall, and VPN (in some cases) to do this as
securely as possible
ATHENA
ATHENA
Creating and Developing Your Security
Design
Know your enemy – read books, take
classes/workshops, visit hacker web sites
Count the cost – cost vs. the value of what you
are protecting
Identify assumptions – we all know what
happens when we assume
ATHENA
Creating and Developing Your
Security Design
Control secrets (passwords, encryption keys,
etc.)
Know your weaknesses
Limit the scope of access by creating barriers
at multiple places
Understand your environment – know how
the network usually works
Limit your trust
ATHENA
DMZ
Used by a company to host its own Internet
services without sacrificing unauthorized
access to its private network (while
minimizing access)
Sits between Internet and internal network’s
line of defense, usually some combination of
firewalls and bastion hosts
Traffic originating from it should be filtered
ATHENA
continued
DMZ
Typically contains devices accessible to
Internet traffic
• Web (HTTP) servers
• FTP servers
• SMTP (e-mail) servers
• DNS servers
Optional, more secure approach to a simple
firewall; may include a proxy server
ATHENA
ATHENA
DMZ Design Goals
Isolate internal networks
Minimize scope of damage
Protect sensitive data on the servers
Detect the compromise as soon as possible
Minimize effect of the compromise on other
organizations
ATHENA
Filtering
You filter traffic (using routers and/or
firewalls) coming from the external network
to the DMZ, and from the DMZ to the internal
network
You also filter traffic from the internal
network to the DMZ, and from the DMZ to
the external (although not as strictly)
ATHENA
ATHENA
Intranet
Either a network topology or application
(usually a Web portal) used as a single point
of access to deliver services to employees
Typically a collection of all LANs inside the
firewall
Shares company information and computing
resources among employees
ATHENA
continued
Intranet
Allows access to public Internet through
firewalls that screen communications in both
directions to maintain company security
Also called a campus network
ATHENA
Extranet
Private network that uses Internet protocol
and public telecommunication system to
provide various levels of accessibility to
outsiders (partners, customers, etc.)
Can be accessed only with a valid username
and password
Identity determines which parts of the
extranet you can view
ATHENA
continued
Extranet
Requires security and privacy (some
combination of these below:)
• Firewall management
• Issuance and use of digital certificates or other user
authentication
• Encryption of messages
• Use of VPNs that tunnel through the public network
ATHENA
Network Address Translation (NAT)
Internet standard that enables a LAN to use
one set of IP addresses for internal traffic and
a second set for external traffic
Able to translate addresses contained in an IP
packet
ATHENA
Main Purposes of NAT
Provide a type of firewall by hiding internal IP
addresses
Enable a company to use more internal IP
addresses than they have public IP addresses
Conserves supply of public IP addresses
ATHENA
NAT
Most often used to map IPs from nonroutable
private address spaces defined by RFC 1918
Static NAT and dynamic NAT
Port Address Translation (PAT)
• Variation of dynamic NAT
• Allows many hosts to share a single IP address by
multiplexing streams differentiated by TCP/UDP
port numbers
• Commonly implemented on SOHO routers
ATHENA
Tunneling
Enables a network to securely send its data through
untrusted/shared network infrastructure
Encrypts and encapsulates a network protocol
within packets carried by second network
Best-known example: virtual private networks
Replacing WAN links because of security and low
cost
An option for most IP connectivity requirements
ATHENA
Example of a Tunnel
ATHENA
Virtual Local Area Networks (VLANs)
Deployed using network switches
Used throughout networks to segment different
hosts from each other
Often coupled with a trunk, which allows
switches to share many VLANs over a single
physical link
ATHENA
Benefits of VLANs
Network flexibility
Scalability
Increased performance
Some security features
ATHENA
ATHENA
ATHENA
Security Features of VLANs
Can be configured to group together users in
same group or team, while segmenting the
network
Offer some protection when sniffers are
inserted into the network
Protect unused switch ports by turning them
off. Put unused ports in a separate VLAN
that’s not routed
ATHENA
Security Features of VLANs
Use an air gap to separate trusted from
untrusted networks – use separate switch for
the DMZ or other untrusted network (a
separate hub may be more appropriate)
ATHENA
Vulnerabilities of VLAN Trunks
Trunk autonegotiation
• Prevention: Disable autonegotiation on all ports
Trunk VLAN membership and pruning
• Prevention: Manually configure all trunk links with
the VLANs that are permitted to traverse them
ATHENA
Summary
Technologies used to create network topologies
that secure data and networked resources
• Perimeter networks
• Network address translation (NAT)
• Virtual local area networks (VLANs)
ATHENA