Transcript Security appliances

SECURITY APPLIANCES
Module 2 Unit 2
SECURE NETWORK TOPOLOGIES
A topology is a description of how a computer
network is physically or logically organized.
 It is essential to define the topology when
designing a computer network and to update the
map when any changes or additions are made to
it.
 The logical and physical network topology should
be analysed to identify points to vulnerability an


To ensure that the goals of confidentiality, integrity
and availability are met by the design.
2
ZONES AND ACCESS CONTROL LISTS
The main unit of a security topology is a zone.
 a zone is an area of the network (or of a
connected network) where security configuration
is the same for all hosts within it.
 Network traffic between zones is strictly
controlled, using a security device – firewall.

3
ZONES AND ACCESS CONTROL LISTS
CONT’D…
A firewall is a software or hardware that filters
traffic passing into and out of the network.
 The firewall bases its decision on a set of rules
called an Access Control List (ACL).
 Dividing a network into zones implies that each
zone has different security configuration.

4
MAIN ZONES
Private network (intranet)- this is a network of
trusted hosts owned and controlled by the
organization.
 Extranet – this is a network of semi-trusted host,
typically representing business partners,
suppliers or customers.



Hosts must authenticate to join extranet.
Internet – this is a zone permitting anonymous
access (or perhaps a mix of anonymous and
authenticated access) by untrusted hosts over the
internet.
5
NETWORK SECURITY ZONES
6
DEMILITARIZED ZONES (DMZ)
DMZ is a computer host or small network
inserted as a “neutral zone” between a company’s
private network and the outside public network.
 It prevents outside users from getting direct
access to a sever that has company data.


Bastion is a device in a DMZ that is built to withstand
attacks
7
8
NETWORK ADDRESS TRANSLATION

NAT uses a one-to-one mapping or one-to-many
mapping method


To allow one or more private IP clients to gain access
to the Internet by mapping the private IP addresses
to public IP addresses
NAT is a method that enables hosts on private
networks to communicate with hosts on the
Internet
9
NETWORK ADDRESS TRANSLATION
CONT’D…
10
Type of Address
Destination
Inside local
Private IP address that is being translated
into Public IP address
Inside global
Public IP address that the private IP
address is being translated in to.
Outside global
The destination’s/ outside’s public IP
address
Outside local
The destination’s/outside’s private IP
address
NAT device has address translation table
One to one address translation
11
STATIC
NAT
In static NAT manual translation is performed
by an address translation device, translating one
IP address to a different one.
 Static NAT

The simplest form of NAT
 A single private IP address is mapped to a single
public IP address


NAT router must maintain a table in memory

Table maps internal IP addresses to addresses
presented to the Internet
12
13
DYNAMIC NAT

Dynamic NAT

The NAT router automatically maps a group of valid
local IP addresses to a group of Internet IP
addresses, as needed
The network administrator is not concerned
about which IP address the internal clients use
 Any private IP address will automatically be
translated to one of the available Internet IP
addresses by the NAT router


Addresses for dynamic NAT are pulled out of a
predefined pool of public addresses
14
PORT ADDRESS TRANSLATION

Port address translation (PAT)
Also known as overloading
 Is a special form of dynamic NAT
 Allows multiple internal, private IP addresses to use
a single external registered address


To differentiate between the connections, PAT
uses multiple public TCP and UDP ports

To create unique sockets that map to internal IP
addresses
15
PORT ADDRESS TRANSLATION CONT’D…
16
DESTINATION NAT/ PORT FORWARDING

The NAT server uses port forwarding


To send connections from external clients to the Web
server on the internal network
Router takes requests from the internet for a
particular application (say, HTTP/port 80) sends
them to a designated host and port on the LAN.
17
FIREWALL
A firewall is a network security system that
controls the incoming and outgoing network
traffic based on an applied rule set.
 A firewall establishes a barrier between a
trusted, secure internal network and another
network (e.g., the Internet) that is assumed not
to be secure and trusted

18
PACKET FILTERING FIREWALL
Packet filtering firewall can inspect the headers
of IP packets.
 Uses transport-layer information only

IP Source Address, Destination Address
 Protocol/Next Header (TCP, UDP, ICMP, etc)
 TCP or UDP source & destination ports
 ICMP message type

19
Uses the following header information as
criteria for every data package for
filtering:
IP adress of origin
 IP target adress
 The used protocoll
 ICMP message type

TCP/UDP target port
 TCP/UDP origin port
 Receiving network
device
 Sending network
device

20
STATEFUL INSPECTION FIREWALL

Traditional packet filters do not examine
transport layer context

ie matching return packets with outgoing flow
Stateful packet filters address this need
 They examine each IP packet in context

Keep track of client-server sessions
 Check each packet validly belongs to one


Hence are better able to detect bogus packets out
of context
21
APPLICATION LAYER GATEWAY
Application proxy or application-level proxy, an
application gateway is an application program
that runs on a firewall system between
two networks.
 When a client program establishes a connection
to a destination service, it connects to an
application gateway, or proxy.

22
PROXY SERVERS AND GATEWAYS
Filters unwanted services
 There is no direct data exchange between
internal and external computers

23
REVERSE PROXY SERVERS
Monitor inbound traffic
 Prevent direct, unmonitored access to server’s
data from outside the company
 Advantages

Performance
 Privacy

24
EMAIL GATEWAYS AND SPAM
Spam is a junk email or unsolicited email.
 Most new email application software has spam
filtering built-in.
 This is an appropriate solution for home users



But on enterprise networks, if spam has already
reached the user’s mailbox then it has already wasted
bandwidth and taken up space on the server.
A secure configuration for email is to install an
email relay server in a DMZ.
25
METHODS TO REDUCE SPAM
Whitelist – if an an organization only deals with
limited number of correspondents, they can set
up a whitelist of permitted domains.
 SMTP standard checking – rejecting email that is
not strictly RFC
 rDNS lookup – rejecting mail from servers where
the IP address does not match the domain in the
message header or is dynamically assigned
address

26
Tarppitting – introducing a delayed response to
SMTP session. This makes the spammer’s server
less efficient
 Recipient filtering – block mail that is not
addressed to a valid recipient email address

27