Security appliances
Download
Report
Transcript Security appliances
SECURITY APPLIANCES
Module 2 Unit 2
SECURE NETWORK TOPOLOGIES
A topology is a description of how a computer
network is physically or logically organized.
It is essential to define the topology when
designing a computer network and to update the
map when any changes or additions are made to
it.
The logical and physical network topology should
be analysed to identify points to vulnerability an
To ensure that the goals of confidentiality, integrity
and availability are met by the design.
2
ZONES AND ACCESS CONTROL LISTS
The main unit of a security topology is a zone.
a zone is an area of the network (or of a
connected network) where security configuration
is the same for all hosts within it.
Network traffic between zones is strictly
controlled, using a security device – firewall.
3
ZONES AND ACCESS CONTROL LISTS
CONT’D…
A firewall is a software or hardware that filters
traffic passing into and out of the network.
The firewall bases its decision on a set of rules
called an Access Control List (ACL).
Dividing a network into zones implies that each
zone has different security configuration.
4
MAIN ZONES
Private network (intranet)- this is a network of
trusted hosts owned and controlled by the
organization.
Extranet – this is a network of semi-trusted host,
typically representing business partners,
suppliers or customers.
Hosts must authenticate to join extranet.
Internet – this is a zone permitting anonymous
access (or perhaps a mix of anonymous and
authenticated access) by untrusted hosts over the
internet.
5
NETWORK SECURITY ZONES
6
DEMILITARIZED ZONES (DMZ)
DMZ is a computer host or small network
inserted as a “neutral zone” between a company’s
private network and the outside public network.
It prevents outside users from getting direct
access to a sever that has company data.
Bastion is a device in a DMZ that is built to withstand
attacks
7
8
NETWORK ADDRESS TRANSLATION
NAT uses a one-to-one mapping or one-to-many
mapping method
To allow one or more private IP clients to gain access
to the Internet by mapping the private IP addresses
to public IP addresses
NAT is a method that enables hosts on private
networks to communicate with hosts on the
Internet
9
NETWORK ADDRESS TRANSLATION
CONT’D…
10
Type of Address
Destination
Inside local
Private IP address that is being translated
into Public IP address
Inside global
Public IP address that the private IP
address is being translated in to.
Outside global
The destination’s/ outside’s public IP
address
Outside local
The destination’s/outside’s private IP
address
NAT device has address translation table
One to one address translation
11
STATIC
NAT
In static NAT manual translation is performed
by an address translation device, translating one
IP address to a different one.
Static NAT
The simplest form of NAT
A single private IP address is mapped to a single
public IP address
NAT router must maintain a table in memory
Table maps internal IP addresses to addresses
presented to the Internet
12
13
DYNAMIC NAT
Dynamic NAT
The NAT router automatically maps a group of valid
local IP addresses to a group of Internet IP
addresses, as needed
The network administrator is not concerned
about which IP address the internal clients use
Any private IP address will automatically be
translated to one of the available Internet IP
addresses by the NAT router
Addresses for dynamic NAT are pulled out of a
predefined pool of public addresses
14
PORT ADDRESS TRANSLATION
Port address translation (PAT)
Also known as overloading
Is a special form of dynamic NAT
Allows multiple internal, private IP addresses to use
a single external registered address
To differentiate between the connections, PAT
uses multiple public TCP and UDP ports
To create unique sockets that map to internal IP
addresses
15
PORT ADDRESS TRANSLATION CONT’D…
16
DESTINATION NAT/ PORT FORWARDING
The NAT server uses port forwarding
To send connections from external clients to the Web
server on the internal network
Router takes requests from the internet for a
particular application (say, HTTP/port 80) sends
them to a designated host and port on the LAN.
17
FIREWALL
A firewall is a network security system that
controls the incoming and outgoing network
traffic based on an applied rule set.
A firewall establishes a barrier between a
trusted, secure internal network and another
network (e.g., the Internet) that is assumed not
to be secure and trusted
18
PACKET FILTERING FIREWALL
Packet filtering firewall can inspect the headers
of IP packets.
Uses transport-layer information only
IP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc)
TCP or UDP source & destination ports
ICMP message type
19
Uses the following header information as
criteria for every data package for
filtering:
IP adress of origin
IP target adress
The used protocoll
ICMP message type
TCP/UDP target port
TCP/UDP origin port
Receiving network
device
Sending network
device
20
STATEFUL INSPECTION FIREWALL
Traditional packet filters do not examine
transport layer context
ie matching return packets with outgoing flow
Stateful packet filters address this need
They examine each IP packet in context
Keep track of client-server sessions
Check each packet validly belongs to one
Hence are better able to detect bogus packets out
of context
21
APPLICATION LAYER GATEWAY
Application proxy or application-level proxy, an
application gateway is an application program
that runs on a firewall system between
two networks.
When a client program establishes a connection
to a destination service, it connects to an
application gateway, or proxy.
22
PROXY SERVERS AND GATEWAYS
Filters unwanted services
There is no direct data exchange between
internal and external computers
23
REVERSE PROXY SERVERS
Monitor inbound traffic
Prevent direct, unmonitored access to server’s
data from outside the company
Advantages
Performance
Privacy
24
EMAIL GATEWAYS AND SPAM
Spam is a junk email or unsolicited email.
Most new email application software has spam
filtering built-in.
This is an appropriate solution for home users
But on enterprise networks, if spam has already
reached the user’s mailbox then it has already wasted
bandwidth and taken up space on the server.
A secure configuration for email is to install an
email relay server in a DMZ.
25
METHODS TO REDUCE SPAM
Whitelist – if an an organization only deals with
limited number of correspondents, they can set
up a whitelist of permitted domains.
SMTP standard checking – rejecting email that is
not strictly RFC
rDNS lookup – rejecting mail from servers where
the IP address does not match the domain in the
message header or is dynamically assigned
address
26
Tarppitting – introducing a delayed response to
SMTP session. This makes the spammer’s server
less efficient
Recipient filtering – block mail that is not
addressed to a valid recipient email address
27