Network Security

Download Report

Transcript Network Security

Network Security
DMZ (De-Militarized Zone)
General Framework
J. Wang. Computer Network Security
Theory and Practice. Springer 2008
What is a DMZ?
• A DMZ is a computer
network that sits
between a trusted
internal network, such as
a corporate private LAN,
and an untrusted external
network, such as the
public Internet
• Also known as a
– Data Management Zone or
– Demarcation Zone
– Perimeter Network
Typical components of DMZ network
•
•
•
•
•
•
Web servers that need to be made
available to the general public, such as
company's primary Web presence
advertising its products or services.
Public DNS servers that resolve the
names in your domain for users outside
your organization to the appropriate IP
addresses.
Public FTP servers on which you provide
files to the public
– Downloads of your product
manuals or
– Software drivers
Anonymous SMTP relays that forward email from the Internet to internal mail
server(s)
Servers running h complex e-commerce
Internet and extranet applications
Proxy Servers
Split Configurations
•
•
Mail services can be split between
servers on the DMZ and the internal
network.
– Internal mail server handles email from one computer to
another on the internal network.
– Mail that comes in or is sent to
computers outside the internal
network over the Internet is
handled by an SMTP gateway
located in the DMZ.
For e-commerce systems
– Front-end server, directly
accessible by Internet users is in
the DMZ,
– Back-end servers that store
sensitive information are on the
internal network.
DMZ with two firewalls
• DMZ that uses two firewalls,
called a back to back DMZ.
• An advantage of this
configuration is that you can put
a fast packet filtering
firewall/router at the front end
(the Internet edge) to increase
performance of your public
servers,
• Place a slower application layer
filtering (ALF) firewall at the back
end (next to the corporate LAN)
to provide more protection to the
internal network without
negatively impacting
performance for your public
servers
Tri-homed DMZ
• When a single firewall is used to
create a DMZ, it's called a
trihomed DMZ.
• The firewall computer or
appliance has interfaces to three
separate networks:
– The internal interface to the
trusted network (the internal
LAN)
– The external interface to the
untrusted network (the public
Internet)
– The interface to the semitrusted network (the DMZ)
Creating a DMZ Infrastructure
•
•
•
Two important characteristics of
the DMZ are:
A different network ID from the
internal network
– A DMZ can use either public or
private IP addresses,
depending on its architecture
• subnet the IP address
block that is assigned by
your ISP
• If using private IP
addresses for the DMZ, a
Network Address
Translation (NAT) device
will be required
It is separated from both the
Internet and the internal network
by a firewall
Security of DMZ
• The level of security within the DMZ also
depends on the nature of the servers that are
placed there. We can divide DMZs into two
security categories:
• DMZs designed for unauthenticated or
anonymous access
• DMZs designed for authenticated access
Host Security on the DMZ
•
•
Be sure to set strong passwords and
use RADIUS or other certificate based
authentication for accessing the
management console remotely.
•
username richard privilege 15 secret
bigXdogYlover
Router(config)# username natalie privilege 15
secret BIGxDOGyLOVER
Router(config)# ip http server
Router(config)# ip http authentication local
•
•
•
•
Set up your VTY access for SSH (optional, but
recommended):
– Router(config)# username name secret
password
– Router(config)# line vty 0 4
– Router(config-line)# transport input ssh
– Router(config-line)# transport output ssh
– Router(config-line) login local
To allow you to manage the router
through a Web page, it runs an HTTP
server. It is a good security practice to
disable the HTTP server, as it can
serve as a point of attack.

Different privilege levels to users

Router(config)#privilege exec all level 5 show ip
Example Network
Specify Traffic exiting corporate
network
•
172.16.2.0/24
10.1.1.1/24
•
•
•
•
•
The corporate network zone houses
private servers and internal clients. No
other network should be able to access
it.
Configure an extended access list to
specify which traffic can exit out the
network
GAD(config)#access-list 101 permit ip
10.10.10.0 0.0.0.255 any
GAD(config)#access-list 101 deny ip any
any
GAD(config)#interface fa1
GAD(config-if)#ip access-group 101 in
–
–
–
–
Can Host A ping the Web Server?
Can Host A ping Host B?
Can Host B ping the Web Server?
Can Host B ping Host A?
Limit Traffic allowed into corporate
network
•
•
•
172.16.2.0/24
10.1.1.1/24
traffic can be allowed into the corporate
network must be limited.
Traffic entering the corporate network will be
coming from either the Internet or the DMZ.
Allow all traffic that originated from the
corporate network can be allowed back into that
network. Enter the following:
–
•
Permit ICMP into the network. This will allow
the internal hosts to receive ICMP messages
–
–
•
GAD(config)#access-list 102 permit icmp any any
echo-reply
GAD(config)#access-list 102 permit icmp any any
unreachable
No other traffic is desired into the corporate
network
–
•
GAD(config)#access-list 102 permit tcp any any
established
GAD(config)#access-list 102 deny ip any any
Finally, apply the access-list to the corporate
network Fast Ethernet port.
–
–
GAD(config)#interface ethernet1
GAD(config-if)#ip access-group 102 out
Limit Traffic to Corporate Network
•
•
•
172.16.2.0/24
10.1.1.1/24
•
Can Host A ping the Web Server?
Can Host A ping Host B?
Can Host B ping the Web Server?
Can Host B ping Host A
•
•
Traffic that can be allowed into the corporate
network must be limited.
Traffic entering the corporate network will be
coming from either the Internet or the DMZ.
Allow all traffic that originated from the corporate
network can be allowed back into that network.
Enter the following:
– GAD(config)#access-list 102 permit tcp any
any established
Permit ICMP into the network. This will allow the
internal hosts to receive ICMP messages
– GAD(config)#access-list 102 permit icmp any
any echo-reply
– GAD(config)#access-list 102 permit icmp any
any unreachable
No other traffic is desired into the corporate
network
– GAD(config)#access-list 102 deny ip any any
Finally, apply the access-list to the corporate
network Fast Ethernet port.
– GAD(config)#interface ethernet1
– GAD(config-if)#ip access-group 102 out
Protect the DMZ Network
•
•
172.16.2.0/24
10.1.1.1/24
•
•
•
•
•
•
The DMZ network will house only one external server that will
provide World Wide Web services
Configure an extended access list to protect the DMZ network
– GAD(config)#access-list 111 permit ip 10.1.1.0 0.0.0.255
any
– GAD(config)#access-list 111 deny ip any any
– GAD(config)#interface ethernetfa0
– GAD(config-if)#ip access-group 111 in
Specify which traffic can enter the DMZ network. Traffic entering
the DMZ network will be coming from either the Internet or the
corporate network requesting World Wide Web services.
Configure an outbound extended access-list specifying that World
Wide Web requests be allowed into the network.
– GAD(config)#access-list 112 permit tcp any host 10.1.1.10
eq www
What command would be entered to allow
– DNS, Email and FTP requests into the DMZ?
For management purposes, it would be useful to let corporate
users ping the Web Server but not for Internet users.
– GAD(config)#access-list 112 permit icmp 10.10.10.0
0.0.0.255 host 10.1.1.10
– GAD(config)#access-list 112 deny ip any any
GAD(config)#interface fa ethernet 0
GAD(config-if)#ip access-group 112 out
Deter Spoofing
•
•
172.16.2.0/24
10.1.1.1/24
•
•
•
•
•
•
•
Spoofing - A common method to attempt to
forge a valid internal source IP addresses.
To deter spoofing, it is decided to configure an
access list so that Internet hosts cannot easily
spoof an internal network addresses.
Three common source IP addresses that hackers
attempt to forge are valid internal addresses
(e.g., 10.10.10.0), loopback addresses
(i.e.,127.x.x.x), and multicast addresses (i.e.,
224.x.x.x – 239.x.x.x).
GAD(config)#access-list 121 deny ip 10.10.10.0
0.0.0.255 any
GAD(config)#access-list 121 deny ip 127.0.0.0
0.255.255.255 any
GAD(config)#access-list 121 deny ip 224.0.0.0
31.255.255.255 any
GAD(config)#access-list 121 permit ip any any
GAD(config)#interface serial 0
GAD(config-if)#ip access-group 121 in