Chap 11: Network Security Topologies

Download Report

Transcript Chap 11: Network Security Topologies

Network Security Topologies
Chapter 11
Learning Objectives





Explain network perimeter’s importance to an
organization’s security policies
Identify place and role of the demilitarized zone
in the network
Explain how network address translation is used
to help secure networks
Spell out the role of tunneling in network security
Describe security features of virtual local area
networks
Perimeter Security Topologies




Put in place using firewalls and routers on
network edge
Permit secure communications between the
organization and third parties
Key enablers for many mission-critical
network services
Include demilitarized zones (DMZs)
extranets, and intranets
continued…
Perimeter Security Topologies

Selectively admit or deny data flows from
other networks based on several criteria:




Type (protocol)
Source
Destination
Content
Three-tiered Architecture



Outermost perimeter
Internal perimeters
Innermost perimeter
Outermost Perimeter





Router used to separate network from ISP’s
network
Identifies separation point between assets you
control and those you do not
Most insecure area of a network infrastructure
Normally reserved for routers, firewalls, public
Internet servers (HTTP, FTP, Gopher)
Not for sensitive company information that is for
internal use only
Internal Perimeters

Represent additional boundaries where
other security measures are in place
Network Classifications



Trusted
Semi-trusted
Untrusted
Trusted Networks


Inside network security perimeter
The networks you are trying to protect
Semi-Trusted Networks




Allow access to some database materials
and e-mail
May include DNS, proxy, and modem
servers
Not for confidential or proprietary
information
Referred to as the demilitarized zone
(DMZ)
Untrusted Networks


Outside your security perimeter
Outside your control
Creating and Developing Your
Security Design








Know your enemy
Count the cost
Identify assumptions
Control secrets
Know your weaknesses
Limit the scope of access
Understand your environment
Limit your trust
DMZ



Used by a company to host its own Internet
services without sacrificing unauthorized
access to its private network
Sits between Internet and internal
network’s line of defense, usually some
combination of firewalls and bastion hosts
Traffic originating from it should be
filtered
continued…
DMZ

Typically contains devices accessible to
Internet traffic





Web (HTTP) servers
FTP servers
SMTP (e-mail) servers
DNS servers
Optional, more secure approach to a simple
firewall; may include a proxy server
DMZ Design Goals




Minimize scope of damage
Protect sensitive data on the server
Detect the compromise as soon as possible
Minimize effect of the compromise on
other organizations
Intranet



Either a network topology or application
(usually a Web portal) used as a single
point of access to deliver services to
employees
Typically a collection of all LANs inside
the firewall
Shares company information and
computing resources among employees
continued…
Intranet


Allows access to public Internet through
firewalls that screen communications in
both directions to maintain company
security
Also called a campus network
Extranet



Private network that uses Internet protocol
and public telecommunication system to
provide various levels of accessibility to
outsiders
Can be accessed only with a valid
username and password
Identity determines which parts of the
extranet you can view
continued…
Extranet

Requires security and privacy




Firewall management
Issuance and use of digital certificates or other
user authentication
Encryption of messages
Use of VPNs that tunnel through the public
network
Network Address Translation (NAT)


Internet standard that enables a LAN to use
one set of IP addresses for internal traffic
and a second set for external traffic
Able to translate addresses contained in an
IP packet
Main Purposes of NAT


Provide a type of firewall by hiding
internal IP addresses
Enable a company to use more internal IP
addresses
NAT



Most often used to map IPs from nonroutable
private address spaces defined by RFC 1918
Static NAT and dynamic NAT
Port Address Translation (PAT)



Variation of dynamic NAT
Allows many hosts to share a single IP address by
multiplexing streams differentiated by TCP/UDP port
numbers
Commonly implemented on SOHO routers
Tunneling





Enables a network to securely send its data
through untrusted/shared network infrastructure
Encrypts and encapsulates a network protocol
within packets carried by second network
Best-known example: virtual private networks
Replacing WAN links because of security and
low cost
An option for most IP connectivity requirements
Example of a Tunnel
Virtual Local Area Networks (VLANs)



Deployed using network switches
Used throughout networks to segment
different hosts from each other
Often coupled with a trunk, which allows
switches to share many VLANs over a
single physical link
Benefits of VLANs





Network flexibility
Scalability
Trunking
Increased performance
Some security features
Security Features of VLANs




Can be configured to group together users
in same group or team
Offer some protection when sniffers are
inserted into the network
Protect unused switch ports
Use an air gap to separate trusted from
untrusted networks
Vulnerabilities of VLAN Trunks

Trunk autonegotiation


Prevention: Disable autonegotiation on all
ports
Trunk VLAN membership and pruning

Prevention: Manually configure all trunk links
with the VLANs that are permitted to traverse
them
Chapter Summary

Technologies used to create network
topologies that secure data and networked
resources



Perimeter networks
Network address translation (NAT)
Virtual local area networks (VLANs)