network perimeter security
Download
Skip this Video
Download Presentation
Network Perimeter Security

Loading in 2 Seconds...

play fullscreen
1 / 18

Network Perimeter Security - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

Network Perimeter Security. Yu Wang. Main Topics. Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A. Border Router. Gate to the Internet First and last line of defense Role of a router Designed to route packets Operates primarily on layer 3

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Network Perimeter Security' - edmund


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
main topics
Main Topics
  • Border Router
  • Firewall
  • IPS/IDS
  • VLAN
  • SPAM
  • AAA
  • Q/A
border router
Border Router
  • Gate to the Internet
  • First and last line of defense
  • Role of a router
    • Designed to route packets
    • Operates primarily on layer 3
    • Able to filter packet using Access Control List
  • Limitations on network security control
router acl
Router ACL
  • Standard ACL (layer 3)
    • access-list 1 permit 168.223.0.0 0.0.255.255
    • access-list 2 deny 192.168.0.0 0.0.0.255
  • Extended ACL (layer 3, 4)
    • access-list 101 permit tcp 168.223.0.0 0.0.255.255 host 128.186.6.14 eq www
    • access-list 101 deny tcp 192.168.0.0 0.0.0.255 any log
    • access-list 101 deny ip any any
firewall
Firewall
  • What is a firewall
    • A network device designed to filter packets
    • A software application developed to do the same function
  • Firewall operates on layer 3 – 7
  • Firewall is stateful
    • If a packet is allowed to pass, an entry is added to the state table
firewall stateful operations
Firewall Stateful Operations
  • State Table
    • TCP out 67.76.135.17:26944 in 128.186.120.4:993 idle 23:27:42 bytes 333091 flags UfFIOB
    • TCP out 71.229.26.75:60849 in 128.186.120.56:22 idle 2:26:47 bytes 2074496 flags UIOB
    • ICMP out 192.168.25.15:512 in 128.186.120.179:0 idle 0:00:00 bytes 2048
    • UDP out 64.70.24.76:53 in 128.186.120.179:1110 idle 0:00:00 flags –
  • Stateful filtering – layer 4 and lower
  • Stateful Inspection – all layers
firewall product examples
Firewall Product Examples
  • Hardware firewall
    • CISCO PIX firewall
    • Home router firewall
  • Software firewall
    • Iptables – Linux
    • Ipfilter – Solaris
    • Windows XP
ips ids
IPS/IDS
  • Intrusion Prevention/Detection System
    • Firewall is good in packet filtering but weak in layer 7 inspection
    • IPS/IDS operates on layer 2-7
    • IPS can do application protection, performance protection, and infrastructure protection
    • It uses specialized network devices designed and a database of known attack signature
ips ids1
IPS/IDS
  • IPS examples
    • TippingPoint UnityOne IPS
      • Uses “Digital Vaccine” effectively block viruses/worms, spyware, phishing, P2P, DDoS
      • Do not replace firewall
ips ids2
IPS/IDS
  • IPS examples
    • Packeteer Traffic Shaper
      • Guarantee bandwidth availability for legitimate network traffics
      • Control malicious network traffics
      • Better use of existing bandwidth
ips ids3
IPS/IDS
  • IPS examples
    • CISCO ASA
      • Uses modular approach
      • Simplifies configuration and management
ips ids4
IPS/IDS
  • IDS examples
    • Snort
      • An open source solution
      • Low budget system suitable for organizational unit level
      • Runs on UNIX, Linux, Windows
      • Slower compare to ASA, TippingPoint
      • Flexible compare to ASA, TippingPoint
slide15
VLAN
  • Virtual LAN is used to do resources separation
    • Divide a physical network into multiple virtual networks
    • Network traffics in one VLAN won’t go to another VLAN by default
    • Inter-VLAN traffics must go through a router where ACL can be used to filter unwanted flow
spam solution
SPAM Solution
  • SPAM and Email virus
    • Email is one of the most important network services. SPAM becomes big issue for many organizations
    • Many commercial SPAM filtering software available.
    • We use GFI mailessential and GFI mailsecurity.
      • RBL checking, Header checking, Message body checking
      • Virus checking, Phishing checking
    • Also use Spamassassin, procmail, clamav
    • Tumbleweed Mail Email Firewall (MMS)
      • Automatic quarantine and user release/deletion function
slide17
AAA
  • Authentication
    • Use strong authentication methods
      • Kerberos, SSH, PKI
  • Authorization
    • Define access control
    • Harden network resources (servers)
    • Separate vulnerable servers from rest of network (DMZ)
  • Auditing
    • Central log server
    • Log analyzer/watcher
ad