Security + Certification - Chapter 8: Network Security Topologies - Athena

Chapter 8 Network Security Topologies Objectives in this Chapter  Explain network perimeter’s importance to an organization’s security policies  Identify place and role of the demilitarized zone in the network  Explain how network address translation is used to help secure networks  Spell out the role of tunneling in network security  Describe security features of virtual local area networks ATHENA Perimeter Security Topologies  The whole goal of connecting networks is so that people can share information.  The goal of perimeter security is to selectively admit or deny data flows based on: • Protocol • Source • Destination • Content ATHENA Perimeter Security Topologies  Put in place using firewalls and routers on network edge  Permit secure communications between the organization and third parties  Key enablers for many mission-critical network services  Include demilitarized zones (DMZs) extranets, and intranets ATHENA continued Perimeter Security Topologies  The data flows that are allowed to enter, and those that aren’t, are defined in an organization’s security policy.  The security policy describes what type of activities are permitted and what types are not. ATHENA Security Policies and Firewalls  These security policies are enforced primarily with firewalls deployed at key boundaries in the network, including the network perimeter.  Every packet entering or leaving is forced to pass through a firewall, which checks it for compliance with its rule set, discarding those that don’t comply. ATHENA Multiple Perimeters  A network may contain multiple perimeters, with different security levels: • Outermost perimeter • Internal perimeters • Innermost perimeter ATHENA ATHENA Outermost Perimeter  A router is used to separate network from ISP’s network  Identifies separation point between assets you control and those you do not  Most insecure area of a network infrastructure  Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, DNS) (usually on the DMZ)  Not for sensitive company information that is for internal use only ATHENA Internal Perimeters  Represent additional boundaries where other security measures are in place  Usually separated by firewalls  Used to separate areas with different security levels and needs ATHENA Network Classifications  Trusted  Semi-trusted  Untrusted ATHENA Trusted Networks  Inside network security perimeter  The networks you are trying to protect ATHENA Semi-Trusted Networks  Allow access to some database materials and e-mail May include DNS, proxy, and modem (RAS) servers, also DNS, web, and ftp  Not for confidential or proprietary information  Referred to as the demilitarized zone (DMZ) ATHENA Untrusted Networks  Outside your security perimeter  Outside your control  You may need to communicate with some of these networks – you configure your router, firewall, and VPN (in some cases) to do this as securely as possible ATHENA ATHENA Creating and Developing Your Security Design  Know your enemy – read books, take classes/workshops, visit hacker web sites  Count the cost – cost vs. the value of what you are protecting  Identify assumptions – we all know what happens when we assume ATHENA Creating and Developing Your Security Design  Control secrets (passwords, encryption keys, etc.)  Know your weaknesses  Limit the scope of access by creating barriers at multiple places  Understand your environment – know how the network usually works  Limit your trust ATHENA DMZ  Used by a company to host its own Internet services without sacrificing unauthorized access to its private network (while minimizing access)  Sits between Internet and internal network’s line of defense, usually some combination of firewalls and bastion hosts  Traffic originating from it should be filtered ATHENA continued DMZ  Typically contains devices accessible to Internet traffic • Web (HTTP) servers • FTP servers • SMTP (e-mail) servers • DNS servers  Optional, more secure approach to a simple firewall; may include a proxy server ATHENA ATHENA DMZ Design Goals  Isolate internal networks Minimize scope of damage  Protect sensitive data on the servers  Detect the compromise as soon as possible Minimize effect of the compromise on other organizations ATHENA Filtering  You filter traffic (using routers and/or firewalls) coming from the external network to the DMZ, and from the DMZ to the internal network  You also filter traffic from the internal network to the DMZ, and from the DMZ to the external (although not as strictly) ATHENA ATHENA Intranet  Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employees  Typically a collection of all LANs inside the firewall  Shares company information and computing resources among employees ATHENA continued Intranet  Allows access to public Internet through firewalls that screen communications in both directions to maintain company security  Also called a campus network ATHENA Extranet  Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders (partners, customers, etc.)  Can be accessed only with a valid username and password  Identity determines which parts of the extranet you can view ATHENA continued Extranet  Requires security and privacy (some combination of these below:) • Firewall management • Issuance and use of digital certificates or other user authentication • Encryption of messages • Use of VPNs that tunnel through the public network ATHENA Network Address Translation (NAT)  Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic  Able to translate addresses contained in an IP packet ATHENA Main Purposes of NAT  Provide a type of firewall by hiding internal IP addresses  Enable a company to use more internal IP addresses than they have public IP addresses  Conserves supply of public IP addresses ATHENA NAT Most often used to map IPs from nonroutable private address spaces defined by RFC 1918  Static NAT and dynamic NAT  Port Address Translation (PAT) • Variation of dynamic NAT • Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers • Commonly implemented on SOHO routers ATHENA Tunneling  Enables a network to securely send its data through untrusted/shared network infrastructure  Encrypts and encapsulates a network protocol within packets carried by second network  Best-known example: virtual private networks  Replacing WAN links because of security and low cost  An option for most IP connectivity requirements ATHENA Example of a Tunnel ATHENA Virtual Local Area Networks (VLANs)  Deployed using network switches  Used throughout networks to segment different hosts from each other  Often coupled with a trunk, which allows switches to share many VLANs over a single physical link ATHENA Benefits of VLANs  Network flexibility  Scalability  Increased performance  Some security features ATHENA ATHENA ATHENA Security Features of VLANs  Can be configured to group together users in same group or team, while segmenting the network  Offer some protection when sniffers are inserted into the network  Protect unused switch ports by turning them off. Put unused ports in a separate VLAN that’s not routed ATHENA Security Features of VLANs  Use an air gap to separate trusted from untrusted networks – use separate switch for the DMZ or other untrusted network (a separate hub may be more appropriate) ATHENA Vulnerabilities of VLAN Trunks  Trunk autonegotiation • Prevention: Disable autonegotiation on all ports  Trunk VLAN membership and pruning • Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them ATHENA Summary  Technologies used to create network topologies that secure data and networked resources • Perimeter networks • Network address translation (NAT) • Virtual local area networks (VLANs) ATHENA