incs775_lect5 - Educational Enterprise Zone

Download Report

Transcript incs775_lect5 - Educational Enterprise Zone

Data Center
Network Infrastructure and
Security Topics
Best practices
• Best Practice is a management idea which
asserts that there is a technique, method,
process, activity, incentive or reward that is more
effective at delivering a particular outcome than
any other technique, method, process, etc.
• The idea is that with proper processes, checks,
and testing, a project can be rolled out and
completed with fewer problems and unforeseen
complications.
Network Infrastructure
• Communications in data centers today are most often
based on networks running the IP protocol suite.
• Data centers contain a set of routers and switches that
transport traffic between the servers and to the outside
world.
• Redundancy is sometimes provided by getting the
network connections from multiple vendors.
• Some of the servers at the data center are used for
running the basic Internet and intranet services needed
by internal users in the organization: email servers,
proxy servers, DNS servers, etc.
Network Infrastructure
• Some of the servers at the data center are
used for running the basic Internet and
intranet services needed by internal users
in the organization
– email servers
– proxy servers
– DNS servers
Network Infrastructure
• Network security elements are also usually
deployed
– Firewalls
– VPN gateways
– Intrusion detection systems
• Also common are monitoring systems for the
network and some of the applications.
• Additional offsite monitoring systems are also
typical, in case of a failure of communications
inside the data center.
Applications
• The main purpose of a data center is running the
applications that handle the core business and
operational data of the organization.
• Such systems may be proprietary and
developed internally by the organization, or
bought from enterprise software vendors.
• Such common applications are ERP and CRM
systems.
ERP
• Enterprise Resource Planning systems (ERPs)
integrate (or attempt to integrate) all data and
processes of an organization into a unified
system.
• A typical ERP system will use multiple
components of computer software and hardware
to achieve the integration.
• A key ingredient of most ERP systems is the use
of a unified database to store data for the
various system modules.
CRM
• Customer relationship management
(CRM) is a broad term that covers
concepts used by companies to manage
their relationships with customers,
including the capture, storage and analysis
of customer information.
Aspects of CRM
•
There are four aspects of CRM, each of which can be
implemented in isolation:
1. Active CRM: Centralized database which facilitates organization
of data and automate business processes and common tasks.
2. Operational CRM: automation or support of customer processes
that include a company’s sales or service representatives
3. Collaborative CRM: direct communication with customers that
does not include a company’s sales or service representatives
(“self service”)
4. Analytical CRM: analysis of customer data for a broad range of
purposes
CRM: Technology considerations
• The technology requirements of a CRM strategy are very
complex and far reaching. The basic building blocks
include:
– A database to store customer information. This can be a CRM
specific database or an enterprise data warehouse.
– Operational CRM requires customer agent support software.
– Collaborative CRM requires customer interaction systems, eg an
interactive website, automated phone systems etc.
– Analytical CRM requires statistical analysis software, as well as
software that manages any specific marketing campaigns.
– Support CRM systems require interactive chat software to
provide live help and support to web site visitors.
CRM: Privacy and Data Security
• The data gathered as part of CRM must
consider customer privacy and data
security. Customers want the assurance
that their data is not shared with 3rd
parties without their consent and not
accessed illegally by 3rd parties.
• Customers also want their data used by
companies to provide a benefit for them.
DMZ
• In computer security terminology, a DMZ is a
network area that sits between an organization's
internal network and an external network,
usually the Internet.
• Typically, the DMZ contains devices accessible
to Internet traffic, such as
–
–
–
–
Web (HTTP ) servers
FTP servers
SMTP (e-mail) servers
DNS servers.
DMZ
• In computer security, a demilitarized zone
(DMZ) or perimeter network is a network
area (a subnetwork) that sits between an
organization's internal network and an
external network, usually the Internet.
DMZ
• The point of a DMZ is that connections
from the internal and the external network
to the DMZ are permitted, whereas
connections from the DMZ are only
permitted to the external network -- hosts
in the DMZ may not connect to the internal
network.
DMZ
• This allows the DMZ's hosts to provide
services to the external network while
protecting the internal network in case
intruders compromise a host in the DMZ.
For someone on the external network who
wants to illegally connect to the internal
network, the DMZ is a dead end.
DMZ
• Connections from the external network to
the DMZ are usually controlled using port
address translation (PAT).
PAT
• Port Address Translation (PAT) is a feature of a
network device that translates TCP or UDP
communications made between a host and port
on an outside network, and a host and port on
an inside network. It allows a single IP address
to be used for many internal hosts. PAT may
allow one public IP address to handle
communication for 65536 inside hosts.
• A PAT device can transparently and
automatically modify the IP packets' destination
or source host IP and port fields belonging to its
internal hosts.
PAT
• PAT is closely related to the concept of
Network Address Translation, often called
NAT.
• Similar to NAT, port translation makes
changes to the sender’s address or
recipient’s address on data packets.
• However, any IP address change involves
the PAT device’s outside IP address rather
than a pool of addresses as in NAT.
PAT
• PAT translates both the IP and port fields - wherever those values belong to an
internal host.
• Port numbers on packets coming from the
external network, rather than destination
IP addresses, are used to identify and
designate traffic to different computers on
the inside network.
PAT
• Server (public) IP addresses have worldwide
significance and ports have significance that depend on
the particular type of communication desired (e.g. web,
email, FTP).
• The significance of the IP address on an internal host
however needs only to be limited to the organizational
entity where it resides. Thus private addresses as given
in RFC 1918 may be used.
• Additionally, the port number of a client application on a
client host is significant only to that particular host.
• Consequently within an organization any communicating
client application can be uniquely identified by the
combination of its host IP (organizational significance)
and host port (host only significance).
PAT
• A PAT device is like a post office that
delivers box mail: outgoing envelopes are
changed to appear to come from a post
office box; incoming envelopes addressed
to a valid post office box are changed to
have the real street address of the box
holder.
PAT
• PAT can only translate/replace IP
addresses and ports for its internal hosts.
• As a consequence of its function it
effectively hides the true endpoint IP
address and port of the internal hosts.
• However, PAT must of course leave the
public IP address and port information of
the external host unmodified.
PAT
• Port translation allows many computers to
share a single IP address.
• The PAT device periodically deletes
translations from its table when they no
longer appear to be in use.
• Because the port number field is a 16-bit
unsigned number (0-65535), the likelihood
of an inside computer not being able to
send outside traffic is greatly reduced.
PAT
• The PAT operation is typically invisible to both
the internal and external hosts.
• Typically the internal host is aware of the true IP
address and TCP or UDP port of the external
host.
• Typically the PAT device may function as the
default gateway for the internal host.
• However the external host is only aware of the
public IP address for the PAT device and the
particular port being used to communicate on
behalf of a specific internal host.
PAT
• The PAT device usually sits at the network
perimeter where one side connects to the
external network, usually the public
Internet
• On the other side is internal network,
usually with private IP addressing.
PAT
• Firewall systems and multi-port broadband
network access devices (e.g. ADSL
routers, cable modems) tend to use PAT.
• In the configuration of those devices, the
outside network is the Internet and the
inside network is the LAN.
PAT
• Advantage:
– PAT's main advantage is that multiple internal hosts
can share a single IP address for communication.
• Disadvantage:
– Only a single public service e.g. port 80 HTTP, can be
exposed per public IP address.
– Thus an organization using PAT and a single IP
cannot easily run more than one of the same type of
public service behind a PAT e.g. two public web
servers using the default port 80.
NAT
• The process of network address translation (NAT, also
known as network masquerading, native address
translation or IP-masquerading) involves re-writing the
source and/or destination addresses of IP packets as
they pass through a router or firewall.
• Most systems using NAT do so in order to enable
multiple hosts on a private network to access the Internet
using a single public IP address (see gateway).
• According to specifications, routers should not act in this
way, but many network administrators find NAT a
convenient technique and use it widely.
• Nonetheless, NAT can introduce complications in
communication between hosts.
NAT
• In a typical configuration, a local network uses one of the
designated "private" IP address subnets (the RFC 1918
Private Network Addresses are 192.168.x.x, 172.16.x.x
through 172.31.x.x, and 10.x.x.x), and a router on that
network has a private address (such as 192.168.0.1) in
that address space.
• The router is also connected to the Internet with a single
"public" address (known as "overloaded" NAT) or
multiple "public" addresses assigned by an ISP.
• As traffic passes from the local network to the Internet,
the source address in each packet is translated on the fly
from the private addresses to the public address(es).
NAT
• The router tracks basic data about each active
connection (particularly the destination address and
port).
• When a reply returns to the router, it uses the connection
tracking data it stored during the outbound phase to
determine where on the internal network to forward the
reply;
– the TCP or UDP client port numbers are used to demultiplex the
packets in the case of overloaded NAT, or IP address and port
number when multiple public addresses are available, on packet
return.
• To a system on the Internet, the router itself appears to
be the source/destination for this traffic.
NAT
• Drawbacks:
– Hosts behind a NAT-enabled router do not have true
end-to-end connectivity and cannot participate in
some Internet protocols.
– Services that require the initiation of TCP
connections from the outside network, or stateless
protocols such as those using UDP, can be disrupted.
– Use of NAT also complicates tunneling protocols such
as IPsec because NAT modifies values in the headers
which interfere with the integrity checks done by
IPsec and other tunneling protocols
NAT
• In addition to the convenience and low cost of NAT, the
lack of full bidirectional connectivity can be regarded in
some situations as a feature rather than a limitation.
• To the extent that NAT depends on a machine on the
local network to initiate any connection to hosts on the
other side of the router, it prevents malicious activity
initiated by outside hosts from reaching those local
hosts.
• This can enhance the reliability of local systems by
stopping worms and enhance privacy by discouraging
scans. Many NAT-enabled firewalls use this as the core
of the protection they provide.
NAT
• The greatest benefit of NAT is that it is a
practical solution to the impending exhaustion of
IPv4 address space.
– Networks that previously required a Class B IP range
or a block of Class C network addresses can now be
connected to the Internet with as little as a single IP
address (many home networks are set up this way).
– The more common arrangement is having machines
that require true bidirectional and unfettered
connectivity supplied with a 'real' IP address, while
having machines that do not provide services to
outside users (e.g. a secretary's computer) tucked
away behind NAT with only a few IP addresses used
to enable Internet access.
NAT
• Two kinds of network address translation exist.
– The type popularly called simply "NAT" (also
sometimes named "Network Address Port
Translation" or "NAPT" or even PAT) refers to network
address translation involving the mapping of port
numbers, allowing multiple machines to share a
single IP address.
– The other, technically simpler, form - also called NAT
or "one-to-one NAT" or "basic NAT" or "static NAT" involves only address translation, not port mapping.
This requires an external IP address for each
simultaneous connection. Broadband routers often
use this feature, sometimes labelled "DMZ host", to
allow a designated computer to accept all external
connections even when the router itself uses the only
available external IP address.
NAT
• NAT with port-translation comes in two
sub-types:
– source address translation (source NAT),
which re-writes the IP address of the
computer which initiated the connection
– destination address translation (destination
NAT).
• In practice, both are usually used together
in coordination for two-way
communication.
NAT
• NAT traversal refers to a solution to the common
problem in TCP/IP networking of establishing
connections between hosts in private TCP/IP networks
which use NAT devices.
• This problem is typically faced by developers of client-toclient networking applications especially in peer-to-peer
and VoIP. NAT-T is commonly used by IPsec VPN clients
in order to have ESP packets go through NAT.
• Many techniques exist, but no technique works in every
situation since NAT behavior is not standardized.
NAT
• Many techniques require a public server on a
well-known globally reachable IP address.
– Some methods use the server only when establishing
the connection (such as STUN), while
– Others are based on relaying all the data through it
(such as TURN), which adds bandwidth costs and
increases latency detrimental to conversational VoIP
applications.
• Most NAT behavior-based techniques fail to
preserve enterprise security policies and break
end-to-end transparency.
Some NAT types
• With full cone NAT, also
known as one-to-one
NAT, all requests from the
same internal IP address
and port are mapped to
the same external IP
address and port.
• An external host can
send a packet to the
internal host, by sending
a packet to the mapped
external address.
Some NAT types
• With restricted cone NAT,
all requests from the
same internal IP address
and port are mapped to
the same external IP
address and port.
• Unlike a full cone NAT, an
external host can send a
packet to the internal host
only if the internal host
had previously sent a
packet to it.
Some NAT types
• Port restricted cone NAT
or symmetric NAT is like
a restricted cone NAT, but
the restriction includes
port numbers.
• Specifically, an external
host can send a packet to
a particular port on the
internal host only if the
internal host had
previously sent a packet
from that port to the
external host.
Some NAT types
• With symmetric NAT all
requests from the same
internal IP address and port
to a specific destination IP
address and port are
mapped to a unique external
source IP address and port.
• If the same internal host
sends a packet with the
same source address and
port to a different destination,
a different mapping is used.
• Only an external host that
receives a packet can send a
UDP packet back to the
internal host.
NAT
• Many NAT implementations follow a port
preservation design.
• For most communications, they will use the
same values as internal and external port
numbers.
• If two internal hosts attempt to communicate with
the same external host using the same port
number, the external port number used by the
second host will be chosen at random.
– Such NAT will be sometimes perceived as restricted
cone NAT and other times as symmetric NAT.
Firewall
• A firewall is an information technology (IT)
security device which is configured to
permit, deny or proxy data connections set
and configured by the organization's
security policy.
• Firewalls can either be hardware and/or
software based.
Firewall
• A firewall's basic task is to control traffic between
computer networks with different zones of trust.
– Typical examples are the Internet which is a zone with
no trust and an internal network which is (and should
be) a zone with high trust.
– The ultimate goal is to provide controlled interfaces
between zones of differing trust levels through the
enforcement of a security policy and connectivity
model based on the least privilege principle and
separation of duties.
Firewall
• A firewall is also called a Border Protection
Device (BPD) in certain military contexts
where a firewall separates networks by
creating perimeter networks in a
Demilitarized zone (DMZ).
• In a BSD context they are also known as a
packet filter.
• A firewall's function is analogous to
firewalls in building construction.
Firewall Types
• There are three basic types of firewalls
depending on:
– Whether the communication is being done
between a single node and the network, or
between two or more networks.
– Whether the communication is intercepted at
the network layer, or at the application layer.
– Whether the communication state is being
tracked at the firewall or not.
Firewall Types
• With regard to the scope of filtered
communications there exist:
– Personal firewalls, a software application which
normally filters traffic entering or leaving a single
computer.
– Network firewalls, normally running on a dedicated
network device or computer positioned on the
boundary of two or more networks or DMZs
(demilitarized zones).
• Such a firewall filters all traffic entering or leaving the
connected networks.
Firewall Types
• In reference to the layers where the traffic
can be intercepted, three main categories
of firewalls exist:
– Network layer firewalls.
• An example would be iptables.
– Application layer firewalls.
• An example would be TCP Wrappers.
– Application firewalls.
• An example would be restricting ftp services
through /etc/ftpaccess file
Network Layer Firewall
• A network layer firewall works as a packet filter
by deciding what packets will pass the firewall
according to rules defined by the administrator.
• Filtering rules can act on the basis of source and
destination address and on ports, in addition to
whatever higher-level network protocols the
packet contains.
• Network layer firewalls tend to operate very fast,
and transparently to users.
Network Layer Firewall
• Network layer firewalls generally fall into two
sub-categories, stateful and stateless.
– Stateful firewalls hold some information on the state
of connections (for example: established or not,
initiation, handshaking, data or breaking down the
connection) as part of their rules (e.g. only hosts
inside the firewall can establish connections on a
certain port).
– Stateless firewalls have packet-filtering capabilities
but cannot make more complex decisions on what
stage communications between hosts have reached.
• Stateless firewalls therefore offer less security.
• Stateless firewalls somewhat resemble a router in their ability
to filter packets.
Network Layer Firewall
• Any normal computer running an operating
system which supports packet filtering and
routing can function as a network layer
firewall.
• Appropriate operating systems for such a
configuration include Linux, Solaris, BSDs
or Windows Server.
Application Layer Firewall
• An application layer firewall is a firewall
operating at the application layer of a protocol
stack.
• Generally it is a host using various forms of
proxy servers to proxy traffic instead of routing it.
• As it works on the application layer, it may
inspect the contents of the traffic, blocking what
the firewall administrator views as inappropriate
content, such as certain websites, viruses,
attempts to exploit known logical flaws in client
software, and so forth.
Application Layer Firewall
• An application layer firewall does not route
traffic on the network layer.
• All traffic stops at the firewall which may
initiate its own connections if the traffic
satisfies the rules.
Application Firewall
• An application firewall limits the access which
software applications have to the operating
system services, and consequently to the
internal hardware resources found in a
computer, much as a car firewall limits access of
heat, or even fire, to the passengers of the
vehicle.
• The reason that application firewalls are needed
in today's internet and data-sharing world is that
the other types of firewalls in existence do not
control the execution of data, only of the flow of
data to the computer's processor.
Proxy
• A proxy server is a computer that offers a computer
network service to allow clients to make indirect network
connections to other network services.
• A client connects to the proxy server, then requests a
connection, file, or other resource available on a different
server.
• The proxy provides the resource either by connecting to
the specified server or by serving it from a cache.
• In some cases, the proxy may alter the client's request or
the server's response for various purposes, usually to
view websites normally not allowed
Web Proxy
• Proxies that attempt to block offensive web
content are implemented as web proxies.
• Other web proxies reformat web pages for a
specific purpose or audience; for example,
Skweezer reformats web pages for cell phones
and PDAs.
• Network operators can also deploy proxies to
intercept computer viruses and other hostile
content served from remote web pages.
Intercepting Proxy
• An intercepting proxy, often incorrectly
called transparent proxy (also known as a
forced proxy) combines a proxy server
with NAT. Connections made by client
browsers through the NAT are intercepted
and redirected to the proxy without clientside configuration (or often knowledge).
Intercepting Proxy
• Intercepting proxies are commonly used in
businesses to prevent avoidance of acceptable
use policy, and to ease administrative burden,
since no client browser configuration is required.
• Intercepting proxies are also commonly used by
Internet Service Providers in many countries in
order to reduce upstream link bandwidth
requirements by providing a shared cache to
their customers.
Open Proxy
• An open proxy is a proxy server which will accept client
connections from any IP address and make connections
to any Internet resource.
• Generally, a proxy server allows users within a network
group to store and forward internet services such as
DNS or web pages so that the bandwidth used by the
group is reduced and controlled.
• With an "open" proxy, however, any user on the Internet
is able to use this forwarding service.
• Because proxies might be used for abuse, system
administrators have developed a number of ways to
refuse service to open proxies
Reverse Proxy
• A reverse proxy is a proxy server that is
installed in the neighborhood of one or
more web servers. All traffic coming from
the Internet and with a destination of one
of the web servers goes through the proxy
server.
Reverse Proxy
• A reverse proxy is a proxy server that is
installed in the neighborhood of one or
more web servers. All traffic coming from
the Internet and with a destination of one
of the web servers goes through the proxy
server.
Reverse Proxy
• Typically, reverse proxies are utilized in front of
webservers.
• All connections coming from the Internet
addressed to one of the webservers are routed
through the proxy server, which may either deal
with the request itself or pass the request wholly
or partially to the main webserver.
• Contrast this with 'forward proxy', which is a
proxy server configured in the end-user's
browser.
Reverse Proxy
• There are several reasons for installing reverse proxy
servers:
– Security: the proxy server is an additional layer of defense and
therefore protects the webservers further up the chain
– Encryption / SSL acceleration: when secure websites are
created, the SSL encryption is sometimes not done by the
webserver itself, but by a reverse proxy that is equipped with
SSL acceleration hardware.
– Load distribution: the reverse proxy can distribute the load to
several servers, each server serving its own application area. In
the case of reverse proxying in the neighborhood of webservers,
the reverse proxy may have to rewrite the URLs in each
webpage (translation from externally known URLs to the internal
locations)
Reverse Proxy
– Caching static content: A reverse proxy can offload
the webservers by caching static content, such as
images. Proxy caching of this sort can often satisfy a
considerable amount of website requests, greatly
reducing the load on the central web server.
– Compression: the proxy server can optimize and
compress the content to speed up the load time.
– Spoon feeding: if a program is producing the
webpage on the webservers, the webservers can
produce it, serve it to the reverse-proxy, which can
spoon-feed it however slowly the clients need and
then close the program rather than having to keep it
open while the clients insist on being spoon fed.
Split Proxy
• A split proxy is effectively a pair of proxies
installed across two computers. Since they
are effectively two parts of the same
program, they can communicate with each
other in a more efficient way than they can
communicate with a more standard
resource or tool such as a website or
browser.
Split Proxy
• This is ideal for compressing data over a slow
link, such as a wireless or mobile data service
and also for reducing the issues regarding high
latency links (such as satellite internet) where
establishing a TCP connection is time
consuming.
– Taking the example of web browsing, the user's
browser is pointed to a local proxy which then
communicates with its other half at some remote
location. This remote server fetches the requisite
data, repackages it and sends it back to the user's
local proxy, which unpacks the data and presents it to
the browser in the standard fashion .
IDS
• An intrusion detection system (IDS)
generally detects unwanted manipulations
to computer systems, mainly through the
Internet.
• The manipulations may take the form of
attacks by skilled malicious hackers, or
script kiddies using automated tools.
IDS
• An intrusion detection system is used to detect
all types of malicious network traffic and
computer usage that can't be detected by a
conventional firewall.
• This includes
– network attacks against vulnerable services
– data driven attacks on applications
– host based attacks such as privilege escalation,
unauthorized logins and access to sensitive files
– malware (viruses, trojan horses, and worms).
IDS
• An IDS is composed of several
components:
– Sensors which generate security events,
– a Console to monitor events and alerts and
control the sensors
– a central Engine that records events logged
by the sensors in a database and uses a
system of rules to generate alerts from
security events received.
IDS
– There are several ways to categorize an IDS
depending on the type and location of the
sensors and the methodology used by the
engine to generate alerts.
– In many simple IDS implementations all three
components are combined in a single device
or appliance.
IDS
• In a network-based intrusion-detection system
(NIDS), the sensors are located at choke points
in the network to be monitored, often in the
demilitarized zone (DMZ) or at network borders.
• The sensor captures all network traffic and
analyzes the content of individual packets for
malicious traffic.
• In systems, PIDS and APIDS are used to
monitor the transport and protocols illegal or
inappropriate traffic or constricts of language
(say SQL).
IDS
• A network intrusion detection system is an
independent platform which identifies
intrusions by examining network traffic and
monitors multiple hosts.
• Network Intrusion Detection Systems gain
access to network traffic by connecting to
a hub, network switch configured for port
mirroring, or network tap.
• An example of a NIDS is Snort.
IDS
• In a host-based system, the sensor usually
consists of a software agent, which
monitors all activity of the host on which it
is installed.
IDS
• A host-based intrusion detection system
(HIDS) is an intrusion detection system
that focuses its monitoring and analysis on
the internals of a computing system rather
than on its external interfaces (as a
network intrusion detection system (NIDS)
would do).
Protocol Based IDS(PIDS)
• A protocol-based intrusion detection system consists of a
system or agent that would typically sit at the front end of
a server, monitoring and analyzing the communication
protocol between a connected device (a user/PC or
system).
• For a web server this would typically monitor the HTTPS
protocol stream and understand the HTTP protocol
relative to the web server/system it is trying to protect.
Where HTTPS is in use then this system would need to
reside in the "shim" or interface between where HTTPS
is un-encrypted and immediately prior to it entering the
Web presentation layer.
Application Protocol-Based IDS
• An application protocol-based intrusion detection
system consists of a system or agent that would
typically sit within a group of servers, monitoring
and analyzing the communication on application
specific protocols.
• For example in a web server with database this
would monitor the SQL protocol specific to the
middleware/business-login as it transacts with
the database.
Hybrid IDS
• A hybrid intrusion detection system
combines one or more approaches.
• Host agent data is combined with network
information to form a comprehensive view
of the network.
Passive vs. Reactive IDS
• In a passive system, the IDS sensor detects a
potential security breach, logs the information
and signals an alert on the console.
• In a reactive system, also known as an intrusion
prevention system (IPS), the IDS responds to
the suspicious activity by resetting the
connection or by reprogramming the firewall to
block network traffic from the suspected
malicious source. This can happen automatically
or at the command of an operator.