1 / 49

SECURING YOUR NETWORK PERIMETER

Chapter 10. SECURING YOUR NETWORK PERIMETER. CHAPTER OBJECTIVES. Establish secure topologies. Secure network perimeters. Implement firewalls. SECURING YOUR NETWORK PERIMETER. Secure the network perimeter, not just individual components. Secure connections between components.

matana
Download Presentation

SECURING YOUR NETWORK PERIMETER

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 10 SECURING YOUR NETWORK PERIMETER

  2. Chapter 10: SECURING YOUR NETWORK PERIMETER CHAPTER OBJECTIVES • Establish secure topologies. • Secure network perimeters. • Implement firewalls.

  3. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING YOUR NETWORK PERIMETER • Secure the network perimeter, not just individual components. • Secure connections between components. • Use security zones. • Manage network traffic between security zones. • The most important zone or boundary is the Internet. • Firewalls are boundary control devices.

  4. Chapter 10: SECURING YOUR NETWORK PERIMETER ESTABLISHING SECURE TOPOLOGIES • Secure topology is a network design. • Group devices in security zones. • Segregate network traffic. • Control the information flow.

  5. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURITY ZONES • Security zones group assets with similar security requirements. • They segregate mission critical systems. • Access control mechanisms define what access is allowed between zones. • Security zones reduce the attack surface of network resources. • Security zones focus your attention on possible threats and vulnerabilities.

  6. Chapter 10: SECURING YOUR NETWORK PERIMETER VIRTUAL LOCAL AREA NETWORKS (VLANS) • Used to segment a network into smaller subnetworks • Used to create security zones • Are virtual subnets • Are created by using switches • Are supported by routers

  7. Chapter 10: SECURING YOUR NETWORK PERIMETER VIRTUAL LOCAL AREA NETWORKS (VLANS) (CONT.) • Restrict broadcast traffic • Are flexible and scalable • Hide the physical configuration of network • Need secure and physically protected switches

  8. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING NETWORK PERIMETERS • Establish boundaries between security zones. • Separate the private network from the Internet. • Define allowed traffic that can cross the perimeter. • Use routers and firewalls to control perimeter traffic. • Filter for malicious code. • Monitor for intrusion activities.

  9. Chapter 10: SECURING YOUR NETWORK PERIMETER ESTABLISHING NETWORK SECURITY ZONES • Place firewalls between internal and external networks. • Use multiple firewalls if you need to create multiple layers of protection. • Put Internet-accessible resources in separate network segments. • The segment between firewalls is called a perimeter network, demilitarized zone (DMZ), or screened subnet

  10. Chapter 10: SECURING YOUR NETWORK PERIMETER COMMON SECURITY ZONES • Intranet • Perimeter network • Extranet • Internet

  11. Chapter 10: SECURING YOUR NETWORK PERIMETER CONFIGURATION OF SECURITY ZONES

  12. Chapter 10: SECURING YOUR NETWORK PERIMETER INTRANET • Is the primary and most sensitive security zone of an organization • Is also known as an internal network, private network, or LAN • Contains all private internal resources • Is considered a trusted network • Is vulnerable to internal attackers

  13. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING AN INTRANET • Deploy firewalls against all other networks. • Install and update antivirus solutions. • Audit and monitor online activity. • Secure systems hosting confidential data. • Manage the security of the physical infrastructure.

  14. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING AN INTRANET (CONT.) • Check for unauthorized devices. • Restrict access to critical systems. • Control physical access. • Remove all unnecessary services from server systems.

  15. Chapter 10: SECURING YOUR NETWORK PERIMETER PERIMETER NETWORK • Grant controlled access to public resources • Prevent external traffic from entering intranet • Are also called DMZs or screened subnets • Are used to provide a buffer between the private trusted network and the Internet or untrusted network segments

  16. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING A PERIMETER NETWORK • Use firewalls to provide protection from external untrusted networks. • Remove all unnecessary services. • Audit all online activity. • Separate name resolution services. • Remove or restrict remote management services. • Carefully document and audit all physical and logical configurations. • Frequently back up data and configurations.

  17. Chapter 10: SECURING YOUR NETWORK PERIMETER EXTRANET • Is used for partner access to controlled resources • Is used to share information between members of multiple organizations • Requires authenticated external connections • Is often directly accessible from the Internet • Might use virtual private networks (VPNs)

  18. Chapter 10: SECURING YOUR NETWORK PERIMETER METHODS OF EXTRANET ACCESS

  19. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING AN EXTRANET • Use firewalls to provide protection from the external network. • Authenticate all access. • Remove all unnecessary services. • Audit all network and service access.

  20. Chapter 10: SECURING YOUR NETWORK PERIMETER PERIMETER NETWORK TYPES • Perimeter networks are established by means of firewalls. • Firewalls manage traffic across the boundaries of different security zones. • There are two common perimeter networks designs: • Three-pronged design • Back-to-back design

  21. Chapter 10: SECURING YOUR NETWORK PERIMETER THREE-PRONGED PERIMETER NETWORK DESIGN • Uses a single firewall • Connects the Internet, an intranet, and a perimeter network • Can be a single point of failure

  22. Chapter 10: SECURING YOUR NETWORK PERIMETER THREE-PRONGED PERIMETER NETWORK

  23. Chapter 10: SECURING YOUR NETWORK PERIMETER BACK-TO-BACK PERIMETER NETWORK DESIGN • Uses two firewalls • Is also called buffer network or screened subnet • Has no single point of failure • Supports more restrictive security rules • Increases the security of the intranet • Provides defense-in-depth protection

  24. Chapter 10: SECURING YOUR NETWORK PERIMETER BACK-TO-BACK PERIMETER NETWORK

  25. Chapter 10: SECURING YOUR NETWORK PERIMETER USING AN N-TIER ARCHITECTURE • An n-tier architecture provides multiple tiers of security zones. • Each tier supports a portion of a business operation. • Traffic is controlled between each tier. • Compromise of one tier does not imply complete failure.

  26. Chapter 10: SECURING YOUR NETWORK PERIMETER A 3-TIER NETWORK DESIGN

  27. Chapter 10: SECURING YOUR NETWORK PERIMETER BASTION HOSTS • A bastion host is a single host that provides all externally accessible services. • A single firewall routes external traffic to the bastion host. • All access is tightly controlled and monitored. • This is the least secure network design.

  28. Chapter 10: SECURING YOUR NETWORK PERIMETER A BASTION HOST DESIGN

  29. Chapter 10: SECURING YOUR NETWORK PERIMETER NETWORK PERIMETER SECURITY AND TRAFFIC CONTROL • Block all traffic by default. • Define exceptions for authorized traffic. • Allow only required network traffic. • Don't trust all outgoing traffic by default. • Inspect blocked traffic and track down the source.

  30. Chapter 10: SECURING YOUR NETWORK PERIMETER FIREWALL FUNCTIONS • Protect a network from malicious hackers and software • Block external threats • Filter inbound and outbound traffic • Separate private networks from the Internet • Separate subnets or individual systems

  31. Chapter 10: SECURING YOUR NETWORK PERIMETER FIREWALL TYPES • Packet filtering • Application filtering • Circuit-level inspection • Stateful inspection • Content inspection • Proxy server functionality

  32. Chapter 10: SECURING YOUR NETWORK PERIMETER USING PACKET FILTERING • A packet filtering firewall inspects the header of each packet. • The firewall forwards or drops each packet based on rules. • Packet filter rules focus on inbound or outbound packets. • Packet filter rules judge source or destination address, other header field content, or packet size. • Most firewalls and routers can perform packet filtering.

  33. Chapter 10: SECURING YOUR NETWORK PERIMETER COMMON FILTER-FOCUSED HEADER FIELDS • Source IP Address • Destination IP Address • IP Protocol ID • Source TCP or UDP Port Number • Destination TCP or UDP Port Number

  34. Chapter 10: SECURING YOUR NETWORK PERIMETER COMMON FILTER-FOCUSED HEADER FIELDS (CONT.) • Protocol and Port Numbers • ICMP Message Type • Fragmentation Flags • IP Options

  35. Chapter 10: SECURING YOUR NETWORK PERIMETER A PACKET FILTERING FIREWALL

  36. Chapter 10: SECURING YOUR NETWORK PERIMETER CIRCUIT-LEVEL INSPECTION • This type of inspection does not examine each packet. • Circuit-level inspection monitors connection establishment. • If a connection is allowed, no further restrictions are imposed. • Circuit-level inspection is more efficient than packet-filtering. • Many firewalls can perform circuit-level inspection.

  37. Chapter 10: SECURING YOUR NETWORK PERIMETER STATEFUL INSPECTION • Combines features of packet-filtering and circuit-level firewalls • First, restricts connections only to authorized users • Second, inspects subsequent packets to restrict traffic based on context

  38. Chapter 10: SECURING YOUR NETWORK PERIMETER APPLICATION LAYER FILTERING • Examines the content or payload of packets • Inspects packets based on the application used • Requires complex rules • Can detect a wide range of attacks and malicious code • Has slower performance than other methods

  39. Chapter 10: SECURING YOUR NETWORK PERIMETER TUNNELING • Tunneling is a technique used to bypass a firewall’s inspection mechanisms. • Tunneling encapsulates network packets in allowed network traffic. • Encryption is a common tunneling option. • If content inspection is not possible, an intrusion detection system (IDS) might be needed.

  40. Chapter 10: SECURING YOUR NETWORK PERIMETER PROXY SERVERS • Is a circuit-level or application layer operation • Accepts connections from clients • Establishes a distinct connection to external servers • Has no direct connection between client and server • Supports content checking and resource caching

  41. Chapter 10: SECURING YOUR NETWORK PERIMETER A PROXY SERVER

  42. Chapter 10: SECURING YOUR NETWORK PERIMETER NETWORK ADDRESS TRANSLATION (NAT) • Allows multiple internal clients to access the Internet over a few public leased addresses • Converts and manages traffic through translation of IP addresses and port numbers • Allows use of the private IP addresses (10.x.x.x, 172.16.x.x–172.31.x.x, and 192.168.x.x) • Hides the internal network structure and address scheme • Prevents external entities from directly accessing internal clients

  43. Chapter 10: SECURING YOUR NETWORK PERIMETER NAT VARIATIONS • Static NAT • Dynamic NAT • Port address translation (PAT)

  44. Chapter 10: SECURING YOUR NETWORK PERIMETER FIREWALL ISSUES • Misconfiguration is a common cause of firewall failure. • Avoid default-allow and a default-deny rules. • Manage the rule execution order. • Keep firewalls patched and updated.

  45. Chapter 10: SECURING YOUR NETWORK PERIMETER FIREWALL VULNERABILITIES • Compromising the firewall management console or password • Circumventing the firewall • Physically tampering with the firewall • Creating outbound connections

  46. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING FIREWALLS • Keep current on vendor-released information on your firewall. • Keep the firewall patched and updated. • Keep virus scanners updated. • Maintain physical access control. • Document the firewall configuration.

  47. Chapter 10: SECURING YOUR NETWORK PERIMETER SECURING FIREWALLS (CONT.) • Restrict management access. • Use complex passwords. • Test the firewall's filters and rules. • Look for bypasses or circumventions of the firewall's security.

  48. Chapter 10: SECURING YOUR NETWORK PERIMETER SUMMARY • Security zones divide parts of the network that have different security requirements. • VLANs are a method for dividing a single physical network into separate broadcast domains. • Typical security zones are intranets, extranets, perimeter networks, and the Internet. Firewalls are often used to control traffic between these security zones.

  49. Chapter 10: SECURING YOUR NETWORK PERIMETER SUMMARY (CONT.) • The two most commonly used firewall topologies are the back-to-back design and the three-pronged design. A back-to-back design provides multiple layers of protection. The bastion host design provides the lowest level of security. • Firewalls differ in the features that they provide. Common features are packet filtering, circuit-level inspection, stateful inspection, application layer filtering, and proxy server functionality. • NAT allows multiple computers to communicate with the Internet by using a single routable IP address or a range of IP addresses. The main security benefit of NAT is that it hides hosts from the Internet.

More Related