Network perimeter security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Network Perimeter Security PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

Network Perimeter Security. Yu Wang. Main Topics. Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A. Border Router. Gate to the Internet First and last line of defense Role of a router Designed to route packets Operates primarily on layer 3

Download Presentation

Network Perimeter Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Network perimeter security

Network Perimeter Security

Yu Wang


Main topics

Main Topics

  • Border Router

  • Firewall

  • IPS/IDS

  • VLAN

  • SPAM

  • AAA

  • Q/A


Border router

Border Router

  • Gate to the Internet

  • First and last line of defense

  • Role of a router

    • Designed to route packets

    • Operates primarily on layer 3

    • Able to filter packet using Access Control List

  • Limitations on network security control


Router acl

Router ACL

  • Standard ACL (layer 3)

    • access-list 1 permit 168.223.0.0 0.0.255.255

    • access-list 2 deny 192.168.0.0 0.0.0.255

  • Extended ACL (layer 3, 4)

    • access-list 101 permit tcp 168.223.0.0 0.0.255.255 host 128.186.6.14 eq www

    • access-list 101 deny tcp 192.168.0.0 0.0.0.255 any log

    • access-list 101 deny ip any any


Firewall

Firewall

  • What is a firewall

    • A network device designed to filter packets

    • A software application developed to do the same function

  • Firewall operates on layer 3 – 7

  • Firewall is stateful

    • If a packet is allowed to pass, an entry is added to the state table


Tcp states

TCP States


Tcp states1

TCP States


Firewall stateful operations

Firewall Stateful Operations

  • State Table

    • TCP out 67.76.135.17:26944 in 128.186.120.4:993 idle 23:27:42 bytes 333091 flags UfFIOB

    • TCP out 71.229.26.75:60849 in 128.186.120.56:22 idle 2:26:47 bytes 2074496 flags UIOB

    • ICMP out 192.168.25.15:512 in 128.186.120.179:0 idle 0:00:00 bytes 2048

    • UDP out 64.70.24.76:53 in 128.186.120.179:1110 idle 0:00:00 flags –

  • Stateful filtering – layer 4 and lower

  • Stateful Inspection – all layers


Firewall product examples

Firewall Product Examples

  • Hardware firewall

    • CISCO PIX firewall

    • Home router firewall

  • Software firewall

    • Iptables – Linux

    • Ipfilter – Solaris

    • Windows XP


Ips ids

IPS/IDS

  • Intrusion Prevention/Detection System

    • Firewall is good in packet filtering but weak in layer 7 inspection

    • IPS/IDS operates on layer 2-7

    • IPS can do application protection, performance protection, and infrastructure protection

    • It uses specialized network devices designed and a database of known attack signature


Ips ids1

IPS/IDS

  • IPS examples

    • TippingPoint UnityOne IPS

      • Uses “Digital Vaccine” effectively block viruses/worms, spyware, phishing, P2P, DDoS

      • Do not replace firewall


Ips ids2

IPS/IDS

  • IPS examples

    • Packeteer Traffic Shaper

      • Guarantee bandwidth availability for legitimate network traffics

      • Control malicious network traffics

      • Better use of existing bandwidth


Ips ids3

IPS/IDS

  • IPS examples

    • CISCO ASA

      • Uses modular approach

      • Simplifies configuration and management


Ips ids4

IPS/IDS

  • IDS examples

    • Snort

      • An open source solution

      • Low budget system suitable for organizational unit level

      • Runs on UNIX, Linux, Windows

      • Slower compare to ASA, TippingPoint

      • Flexible compare to ASA, TippingPoint


Network perimeter security

VLAN

  • Virtual LAN is used to do resources separation

    • Divide a physical network into multiple virtual networks

    • Network traffics in one VLAN won’t go to another VLAN by default

    • Inter-VLAN traffics must go through a router where ACL can be used to filter unwanted flow


Spam solution

SPAM Solution

  • SPAM and Email virus

    • Email is one of the most important network services. SPAM becomes big issue for many organizations

    • Many commercial SPAM filtering software available.

    • We use GFI mailessential and GFI mailsecurity.

      • RBL checking, Header checking, Message body checking

      • Virus checking, Phishing checking

    • Also use Spamassassin, procmail, clamav

    • Tumbleweed Mail Email Firewall (MMS)

      • Automatic quarantine and user release/deletion function


Network perimeter security

AAA

  • Authentication

    • Use strong authentication methods

      • Kerberos, SSH, PKI

  • Authorization

    • Define access control

    • Harden network resources (servers)

    • Separate vulnerable servers from rest of network (DMZ)

  • Auditing

    • Central log server

    • Log analyzer/watcher


Questions

Questions


  • Login