Network security topologies
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

Network Security Topologies PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on
  • Presentation posted in: General

Network Security Topologies. Chapter 11. Learning Objectives. Explain network perimeter’s importance to an organization’s security policies Identify place and role of the demilitarized zone in the network Explain how network address translation is used to help secure networks

Download Presentation

Network Security Topologies

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Network security topologies

Network Security Topologies

Chapter 11


Learning objectives

Learning Objectives

  • Explain network perimeter’s importance to an organization’s security policies

  • Identify place and role of the demilitarized zone in the network

  • Explain how network address translation is used to help secure networks

  • Spell out the role of tunneling in network security

  • Describe security features of virtual local area networks


Perimeter security topologies

Perimeter Security Topologies

  • Put in place using firewalls and routers on network edge

  • Permit secure communications between the organization and third parties

  • Key enablers for many mission-critical network services

  • Include demilitarized zones (DMZs) extranets, and intranets

continued…


Perimeter security topologies1

Perimeter Security Topologies

  • Selectively admit or deny data flows from other networks based on several criteria:

    • Type (protocol)

    • Source

    • Destination

    • Content


Three tiered architecture

Three-tiered Architecture

  • Outermost perimeter

  • Internal perimeters

  • Innermost perimeter


Outermost perimeter

Outermost Perimeter

  • Router used to separate network from ISP’s network

  • Identifies separation point between assets you control and those you do not

  • Most insecure area of a network infrastructure

  • Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, Gopher)

  • Not for sensitive company information that is for internal use only


Internal perimeters

Internal Perimeters

  • Represent additional boundaries where other security measures are in place


Network classifications

Network Classifications

  • Trusted

  • Semi-trusted

  • Untrusted


Trusted networks

Trusted Networks

  • Inside network security perimeter

  • The networks you are trying to protect


Semi trusted networks

Semi-Trusted Networks

  • Allow access to some database materials and e-mail

  • May include DNS, proxy, and modem servers

  • Not for confidential or proprietary information

  • Referred to as the demilitarized zone (DMZ)


Untrusted networks

Untrusted Networks

  • Outside your security perimeter

  • Outside your control


Creating and developing your security design

Creating and Developing Your Security Design

  • Know your enemy

  • Count the cost

  • Identify assumptions

  • Control secrets

  • Know your weaknesses

  • Limit the scope of access

  • Understand your environment

  • Limit your trust


Network security topologies

DMZ

  • Used by a company to host its own Internet services without sacrificing unauthorized access to its private network

  • Sits between Internet and internal network’s line of defense, usually some combination of firewalls and bastion hosts

  • Traffic originating from it should be filtered

continued…


Network security topologies

DMZ

  • Typically contains devices accessible to Internet traffic

    • Web (HTTP) servers

    • FTP servers

    • SMTP (e-mail) servers

    • DNS servers

  • Optional, more secure approach to a simple firewall; may include a proxy server


Dmz design goals

DMZ Design Goals

  • Minimize scope of damage

  • Protect sensitive data on the server

  • Detect the compromise as soon as possible

  • Minimize effect of the compromise on other organizations


Intranet

Intranet

  • Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employees

  • Typically a collection of all LANs inside the firewall

  • Shares company information and computing resources among employees

continued…


Intranet1

Intranet

  • Allows access to public Internet through firewalls that screen communications in both directions to maintain company security

  • Also called a campus network


Extranet

Extranet

  • Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders

  • Can be accessed only with a valid username and password

  • Identity determines which parts of the extranet you can view

continued…


Extranet1

Extranet

  • Requires security and privacy

    • Firewall management

    • Issuance and use of digital certificates or other user authentication

    • Encryption of messages

    • Use of VPNs that tunnel through the public network


Network address translation nat

Network Address Translation (NAT)

  • Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic

  • Able to translate addresses contained in an IP packet


Main purposes of nat

Main Purposes of NAT

  • Provide a type of firewall by hiding internal IP addresses

  • Enable a company to use more internal IP addresses


Network security topologies

NAT

  • Most often used to map IPs from nonroutable private address spaces defined by RFC 1918

  • Static NAT and dynamic NAT

  • Port Address Translation (PAT)

    • Variation of dynamic NAT

    • Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers

    • Commonly implemented on SOHO routers


Tunneling

Tunneling

  • Enables a network to securely send its data through untrusted/shared network infrastructure

  • Encrypts and encapsulates a network protocol within packets carried by second network

  • Best-known example: virtual private networks

  • Replacing WAN links because of security and low cost

  • An option for most IP connectivity requirements


Example of a tunnel

Example of a Tunnel


Virtual local area networks vlans

Virtual Local Area Networks (VLANs)

  • Deployed using network switches

  • Used throughout networks to segment different hosts from each other

  • Often coupled with a trunk, which allows switches to share many VLANs over a single physical link


Benefits of vlans

Benefits of VLANs

  • Network flexibility

  • Scalability

  • Increased performance

  • Some security features


Security features of vlans

Security Features of VLANs

  • Can be configured to group together users in same group or team

  • Offer some protection when sniffers are inserted into the network

  • Protect unused switch ports

  • Use an air gap to separate trusted from untrusted networks


Vulnerabilities of vlan trunks

Vulnerabilities of VLAN Trunks

  • Trunk autonegotiation

    • Prevention: Disable autonegotiation on all ports

  • Trunk VLAN membership and pruning

    • Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them


Chapter summary

Chapter Summary

  • Technologies used to create network topologies that secure data and networked resources

    • Perimeter networks

    • Network address translation (NAT)

    • Virtual local area networks (VLANs)


  • Login