IDS - Pravin Shetty
Download
Report
Transcript IDS - Pravin Shetty
CPE5021
Advanced Network Security
---Network Security and Performance---
Lecture 9
Outline
Firewalls and Load Balancing
VPN and Network Performance
NAT and Load Balancing
Network Security Architecture
CPE5002 - Advanced Nework Security
2
Firewalls and Load Balancing
Now a day most networks have at least one or
two firewalls (packet filtering and proxy
firewalls).
Most networks provide mail and web services
and have proxy firewalls that have to inspect
several fields of every packet.
Current firewalls are designed to effectively
protect networks against intrusions. However
they limit performance and scalability.
They are also often single points of failure
and hence can reduce network availability.
CPE5002 - Advanced Nework Security
3
Why Firewalls Introduce Problems :E.g
Firewalls can be software based products installed on
a machine with two or three network interface cards
(NIC).
One NIC connects the enterprise network to the public
network (NIC ---Router---Internet).
The second NIC is connected to the non DMZ part of the
corporate network.
The third NIC, if there is, is connected to the DMZ.
Because firewalls are deployed in the data path, by
which all packets go through, they can limit network
performance and scalability.
Firewalls can slow communications by having to
process every packet. Eg: proxy firewalls.
Firewalls cause difficulty to the upgrade of other
servers. Eg: firewalls with VPN; firewalls with
Routers.
CPE5002 - Advanced Nework Security
4
Firewalls with 3 NICs : Example
DMZ
NIC to DMZ
NIC to
Internet
router
Internet
NIC to nonDMZ
CPE5002 - Advanced Nework Security
5
Solutions
Some sophisticated application devices such as
specialised advanced switches (called Application
Switches, eg: Alteon AS, Alteon Web Switch) can
reduce the problems caused by firewalls.
Those switches are built with SSL features and act as load
balancers.
Application switches support, Network Layer 4 and
higher Layer, switching and processing
functionality, and can maintain the state of
individual TCP sessions.
Vendors are also looking, beyond SSL, to integrate
security features such as DoS, malicious URL
blocking, and application-layer firewalling to their
switches.
CPE5002 - Advanced Nework Security
6
Solutions (e.g)
Cisco provides the L4-L7 switch/load
balancer without SSL.
Nortel provides the L4-L7 switch/load
balancer without SSL.
F5 Networks provides the SSL-enabled
L4-L7 switches and load balancers.
Cisco Catalysts with SSL service
modules.
Cisco firewall/VPN/load balancer series
CPE5002 - Advanced Nework Security
7
Firewalls and Net Device for Load
balancing: (eg)
balancer
balancer
Internet
Private Network
balancer
CPE5002 - Advanced Nework Security
balancer
8
Firewalls and Load Balancers
Most load balancers can provide both
packet filtering and packet inspection.
Load balancers can be set up so that only
desired TCP/UDP ports are load-balanced.
Eg: We can set up TCP port 80 for Web traffic
which provides the packet filtering functionality.
Load balancers do most of the work on the
network level therefore they can keep TCP
state information and make decisions based
on states.
CPE5002 - Advanced Nework Security
9
VPN and Load Balancing
How do you improve the performance
of your network if it provides VPN
service?
A VPN server separated from firewalls.
A VPN server integrated with a firewall.
CPE5002 - Advanced Nework Security
10
VPN, Firewall and Load Balancer (e.g)
Symantec Firewall/VPN 200 Appliance
Features 8 x 10/100 MBPS LAN
2 x 10 MBPS WAN
High availability
Load balancing on 2 WAN ports
Symantec Firewall/VPN Appliance is both a firewall and a
VPN solution for an efficient and secure Internet
connectivity for small businesses.
A small business computer system can use IPSec
gateway-to-gateway to connect to other networks and
remote users can access their company's network via
client-to-gateway IPSec VPN.
CPE5002 - Advanced Nework Security
11
VPN, Firewall and Load Balancer (e.g)
HotBrick Load Balancer LB-2 (2 x WAN, 4 x LAN)
Its 2 x 10/100MBPS WAN ports allows high speed
access with NAPT support.
it enables port mapping of a pool of public IP addresses
Provides dynamic DNS feature for mapping of dynamic
addresses to virtual servers within the LAN.
Also it provides the options to double network
speed with failover feature along with its firewall
feature like URL & ICMP filter, DoS attack
prevention, stateful packet Inspection and group
access control.
CPE5002 - Advanced Nework Security
12
VPN, Firewall and Load Balancer (e.g)
HotBrick Firewall VPN 1200/2 (2 x WAN, 12 x LAN)
a firewall,
a VPN server,
a router,
a load balancer,
can support up to 88 Mbps of throughput and
5000 concurrent IP sessions.
The VPN server allows 20 VPN end-points plus
compatibility with RADIUS.
CPE5002 - Advanced Nework Security
13
NAT and Load Balancing
How do we improve network
performance using load balancing
associated with:
A NAT box behind a firewall.
A NAT box behind a VPN server.
A NAT box in parallel with a VPN server.
CPE5002 - Advanced Nework Security
14
NAT and VPN and Load Balancing
Borrowed from Cisco
CPE5002 - Advanced Nework Security
15
Network Security Architectures
Network Security Architecture (NSA) is very important for
any medium and large network. A good architecture
will not only save a company money but also provide
adequate level of security and survive attacks.
A guideline for a good NSA should at least include:
1.
2.
3.
4.
5.
Dynamic cryptosystems.
Structures for adapting of new protocols.
Structures for full-authentication of all network
elements including devices, software, protocols,
users, servers, subnets, etc.
Structures for trusted computing systems.
Structures to support load balancing, availability
and scalability.
CPE5002 - Advanced Nework Security
16
NSA: Dynamic Cryptosystems
A secure network needs to support many different crypto
systems.
Cryptography is evolving quickly with quantum computing and
ECC theory. How will your NSA live with such evolution if your
system has many traditional crypto algorithms?
Future networks will be wireless communications that require
different technologies and hence future networks have to be
able to support many different crypto systems.
If your NSA will support more wireless then what should it look
like when you create it now?
More powerful computers and network devices will be
produced in the near future and this will put a strong demand
on strong authentication and crypto systems.
What if your corporate does not have a very powerful computer
but the others do?
CPE5002 - Advanced Nework Security
17
NSA: Adaptation of new Protocols
Many new voice, video, and other-newformed applications will be integrated into
networks, especially the Internet, hence
current crypto and authentication systems
will need to be upgraded.
How can your NSA adapt a new protocol that
may pose a threat to your organisation?
ICR
H323 (http://www.protocols.com/pbook/h323.htm)
VoIP
Etc.
CPE5002 - Advanced Nework Security
18
NSA: A structure for Trusted Computing
Systems.
Trusted computing systems exist in
most of large networks, how do we
structure such networks with high
security?
Use digital signatures for verifying
software packages, programs, functions.
Use network auditors to audit and
monitor the whole network.
How do we get all done automatically?
CPE5002 - Advanced Nework Security
19
NSA: Load balancing, availability and
scalability.
When should we think of load balancing, availability and
scalability? before or after we have designed and
implemented firewalls, VPNs, NAT boxes, and other network
security components?
How will Intelligent Application Network Components fit in
NSA? When and how the following should be done?
Ensure continuous application availability with Layer 4 to Layer
7 load balancing?
Tune application infrastructure with Layer 7 content switching?
Optimise multi-site load distribution using current Global Server
Load Balancing?
Enhance application performance for Web and non-Web
applications?
Deliver increased application performance while reducing server
workload?
Accelerate secure application delivery with SSL/IPSec?
CPE5002 - Advanced Nework Security
20