Securing the network perimeter
Download
Report
Transcript Securing the network perimeter
Security fundamentals
Topic 10
Securing the network perimeter
Agenda
• Secure network topologies and
security zones
• Network perimeter security and
models
• Implementing firewalls
Secure topologies
• Goal is to separate network traffic so that no network
segment carries traffic not required on the segment
• Performance will also be more efficient
• Security zones:
– Areas of the network that contain resources with similar
security requirements
– Group computers and devices according to security needs
– Reduce the attack surface of your resources
– Builds a network security framework
• What are the threats?
• What can be used to protect?
Security zones
• VLANs
– Create security zones with VLANs: subnets created by
switches and joined by routers
• 802.1q tagging
• Servers can sit on many VLANS
• Limits broadcast domains
• Flexible for adding, moving and changing port VLANs
• Hides physical configuration
• Fast isolation of devices that are the source of threats
• Vulnerable to Layer 2 attacks
Security zones
• Create security zones by placing firewalls
between internal and external networks
• Perimeter network, screened subnet, DMZ: a
separate security zone for Internet facing
resources.
• Intranet (trusted)
• Extranet (partners)
• Perimeter network (access from internet)
• Internet (untrusted)
Intranets
• Internal network, private network, LAN
• Typically trusted but not safe from disgruntled
employees and contractors
• Protection:
–
–
–
–
–
Firewall protection from internet and DMZ
Antivirus on all network hosts
Audit critical resources and confidential data
Use firewalls on hosts with confidential data
Document and audit physical infrastructure and critical
systems for unauthorised devices and connections
– Restrict and monitor access to critical systems
– Remove unnecessary services from mission critical servers
Perimeter networks
• Deploy public resources such as DNS, mail and web
servers
• Also use for untrusted networks (eg wireless)
• Protection:
–
–
–
–
–
–
–
Firewall external network
Limit services and remove unnecessary services
Audit all services
Name resolution is separated from internal network
Remove or restrict remote management service
Document and audit all physical and logical configurations
Perform frequent data and configuration backups
Extranets
• Partner access to resources
• Partners must authenticate and then get access to
non public resources
• Access can be provided by a VPN
• Protection:
–
–
–
–
Firewall from external network
Authenticate all access
Limit services and remove unnecessary services
Audit all network and service access
Perimeter network types
• Three-pronged firewall
– Single firewall with three interfaces for internet, internal
network and DMZ
– Small organisations and branch offices
– Weakness is if firewall fails all networks are vulnerable
• Back-to-back firewalls
– Two firewalls with DMZ behind the first firewall and
internal network behind the first and second firewalls.
– Defence in depth strategy: Two firewalls to break to reach
the internal network
– More restrictive rules on the 2nd firewall.
– Security by diversity by using different brands of firewalls
N-Tier architecture & bastion hosts
• For e-business operations
• Business function servers each have separate tiers:
web tier, middle tier, data tier.
• Each tier is protected by a firewall and traffic between
tiers is controlled, thereby reducing the attack surface
• Bastion hosts:
– Single host provides external services
– Single firewall protects internal network and only allows
traffic to bastion host
– If the bastion is compromised the attacker is on the
internal network
– Least secure design
Perimeter security and traffic
• By default block network traffic and then
make exceptions for required network traffic
• Allow only required traffic: block by protocol,
port and destination
• Don’t automatically trust outgoing traffic
(may be confidential data on the way out)
• Review network traffic that was blocked and
investigate the source of this traffic
Firewalls
•
•
•
•
•
•
Packet filtering
Application filtering
Circuit level inspection
Stateful inspection
Content inspection
Proxy
Packet filtering
• Inspects the IP header of each packet
• Applies rules, permit or deny, inbound or outbound
–
–
–
–
–
–
–
–
–
–
Source IP
Destination IP
Layer 4 protocol TCP/UDP
Source port number
Destination port number
ICMP message type (eg echo request)
Fragmentation flags
IP Options (mostly used for diagnostics)
Packet size
No inspection of payload
Circuit level inspection
• Monitors for hosts establishing connections
• If the connection is allowed, then all following
traffic is allowed without further inspection
• Does not inspect payload
• More efficient than packet filtering
Stateful inspection
• Monitors for hosts establishing connections
• If the connection is allowed, then all following
traffic is allowed
• Continues to monitor the packets within the
connection and checks that the packets are valid
– sequence numbers are checked
• Each connection is tracked using a state table
• Does not inspect payload
• Initially a feature of checkpoint firewalls
Application layer filtering/Gateway
• Examines the payload of network packets
• Inspection depends on the application layer protocol
– Will inspect HTTP, SMTP, FTP and other protocol
commands
– Will inspect Microsoft® ActiveX, Java® etc
– Used to check email for viruses
– Used to inspect web requests for signs of attack
– ISA server
– Can be slow as it is deep packet inspection and multiple
packets in a sequence can be examined in context
Tunnelling
• Used to bypass firewall inspection by
encapsulating traffic with a header that will pass
inspection
• Also used to bypass firewall inspection by
encapsulating encrypted traffic that can’t be
inspected
• To protect from tunnel traffic:
– Perform application layer filtering
– Block encrypted traffic
– Implement Intrusion detection
Proxy servers
• Accepts a connection from a client and then
creates a separate connection to the
server/destination
• No direct connection between client and
server
• Application layer proxy will also filter content
and cache web content
• May require the clients to be configured to
use the proxy
NAT
•
•
•
•
•
•
•
•
•
RFC 3022
Changes IP addresses and port numbers
Allows a network to use a single external IP
Private addresses are not routable on the
internet
Hides internal addresses
No payload inspection
Static NAT one-to-one IPs
Dynamic NAT many-to-many IPs
PAT using up to 64,000 port numbers per IP
Protecting firewalls
• Rules:
– Start with a default deny any
– Put specific rules first
– Permit only required ports, protocols, applications
•
•
•
•
•
•
•
•
Keep the firewall updated – watch security announcements
Update virus definition files routinely
Physically protect the firewall
Document firewall configuration and review
Limit and authenticate remote management
Use complex passwords
Know and test rules
Ensure no connections circumvent the firewall
Lesson summary
• Learned about the concept of secure network
topologies, segmented logically into security
zones, with different trust levels
• How to use models and zones to secure the
network perimeter
• How to go about implementing and using
firewalls for network security, and different
types