DMZ (De-Militarized Zone)

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Enabling Secure Internet Access with ISA Server
Student Guide Access List.
Chapter 1: Introduction to Scaling Networks
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CCENT Study Guide Chapter 12 Security.
Configuring and Troubleshooting ACLs
DMZ (De-Militarized Zone)
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Guide to Network Defense and Countermeasures Third Edition
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Wi-Fi Structures.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Hands-On Ethical Hacking and Network Defense
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Guide to Network Defense and Countermeasures Third Edition
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Chapter 6: Packet Filtering
© 2002, Cisco Systems, Inc. All rights reserved..
© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Chapter 13 – Network Security
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Access Control List ACL. Access Control List ACL.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
User Access to Router Securing Access.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Configuring a Router Module 3 Semester 2. Router Configuration Tasks Name a router Set passwords Examine show commands Configure a serial interface Configure.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Defining Network Infrastructure and Network Security Lesson 8.
Security fundamentals
CCENT Study Guide Chapter 12 Security.
Introduction to Networking
* Essential Network Security Book Slides.
Access Control Lists CCNA 2 v3 – Module 11
Configuring a Router Module 3 Semester 2.
Firewalls Purpose of a Firewall Characteristic of a firewall
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Firewalls Chapter 8.
AbbottLink™ - IP Address Overview
Introduction to Network Security
Computer Networks Protocols
Presentation transcript:

DMZ (De-Militarized Zone) Network Security DMZ (De-Militarized Zone)

Privilege levels in Cisco routers Configures the specified privilege level Router(config) # privilege exec all level 5 show ip Sets the password for the specified privilege level. Router(config)# enable secret password level 6 0 letmein 0 indicates an unencrypted password string follows, 5 indicates an encrypted password string follows Router# show privilege Current privilege level is 15 Set the configure command to privilege level 14 Router(config) # privilege exec level 14 configure Router(config) # enable secret level 14 SecretPswd14 Cisco IOS offers 16 privilege levels User Exec mode: Level 1 Privilege EXEC mode: Level 15 Levels of access to commands, called privilege levels can be configured to protect the system from unauthorized access to Allow access to the specified command or, ‘All’ keyword is used to enable access to all commands that start with the specified string http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html#wp1027184

General Framework J. Wang. Computer Network Security Theory and Practice. Springer 2008

What is a DMZ? A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet Also known as a Data Management Zone or Demarcation Zone Perimeter Network Connecting our private network to the un-trusted network (aka the internet), we should control the flow of the traffic in a secured manner by a firewall device. With firewall, all the traffic are forced to pass through a single concentrated checkpoint where all traffic will be controlled, authenticated, filtered, and logged according to the policies set. With this way, we can significantly reduce, but not eliminate the amount of unauthorized traffic reaching our internal network.

Typical components of DMZ network Web servers that need to be made available to the general public, such as company's primary Web presence advertising its products or services. Public DNS servers that resolve the names in your domain for users outside your organization to the appropriate IP addresses. Public FTP servers on which you provide files to the public Downloads of your product manuals or Software drivers Anonymous SMTP relays that forward e- mail from the Internet to internal mail server(s) Servers running complex e-commerce Internet and extranet applications Proxy Servers Internet users can access the public resources but they cannot get into our private / internal corporate networks.

Split Configurations Mail services can be split between servers on the DMZ and the internal network. Internal mail server handles e- mail from one computer to another on the internal network. Mail that comes in or is sent to computers outside the internal network over the Internet is handled by an SMTP gateway located in the DMZ. For e-commerce systems Front-end server, directly accessible by Internet users is in the DMZ, Back-end servers that store sensitive information are on the internal network. LAN interface DMZ interface

DMZ with two firewalls DMZ that uses two firewalls, called a back to back DMZ. Advantage of this configuration Fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, Slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers

Tri-homed DMZ When a single firewall is used to create a DMZ, it's called a trihomed DMZ. The firewall computer or appliance has interfaces to three separate networks: The internal interface to the trusted network (the internal LAN) The external interface to the untrusted network (the public Internet) The interface to the semi- trusted network (the DMZ)

Creating a DMZ Infrastructure Two important characteristics of the DMZ are: A different network ID from the internal network A DMZ can use either public or private IP addresses, depending on its architecture subnet the IP address block that is assigned by your ISP If using private IP addresses for the DMZ, a Network Address Translation (NAT) device will be required It is separated from both the Internet and the internal network by a firewall

Security of DMZ The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories: DMZs designed for unauthenticated or anonymous access DMZs designed for authenticated access The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories: DMZs designed for unauthenticated or anonymous access DMZs designed for authenticated access If you have a Web server that you want everybody on the Internet to be able to access, (such as a Web presence advertising your company), you'll have to allow anonymous access. You can't easily provide authentication credentials to every stranger who happens upon your site. However, if your Internet-facing servers on the DMZ are used by partners, customers, or employees working off-site, you can require authentication to access them. This makes it more difficult for a hacker to gain access.

Host Security on the DMZ Be sure to set strong passwords and use RADIUS or other certificate based authentication for accessing the management console remotely. To allow you to manage the router through a Web page, it runs an HTTP server. It is a good security practice to disable the HTTP server, as it can serve as a point of attack. username richard privilege 15 secret bigXdogYlover  Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER  Router(config)# ip http server  Router(config)# ip http authentication local  Set up your VTY access for SSH (optional, but recommended):  Router(config)# username name secret password  Router(config)# line vty 0 4 Router(config-line)# transport input ssh Router(config-line)# transport output ssh  Router(config-line) login local Different privilege levels to users Router(config)#privilege exec all level 5 show ip

Specify Traffic exiting corporate network The corporate network zone houses private servers and internal clients. No other network should be able to access it. Configure an extended access list to specify which traffic can exit out the network GAD(config)#access-list 101 permit ip 10.10.10.0 0.0.0.255 any GAD(config)#access-list 101 deny ip any any GAD(config)#interface fa1 GAD(config-if)#ip access-group 101 in Can Host A ping the Web Server? Can Host A ping Host B? Can Host B ping the Web Server? Can Host B ping Host A? 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

Limit Traffic allowed into corporate network Traffic can be allowed into the corporate network must be limited. Traffic entering the corporate network will be coming from either the Internet or the DMZ. Allow all traffic that originated from the corporate network can be allowed back into that network. Enter the following: GAD(config)#access-list 102 permit tcp any any established Permit ICMP into the network. This will allow the internal hosts to receive ICMP messages GAD(config)#access-list 102 permit icmp any any echo-reply GAD(config)#access-list 102 permit icmp any any unreachable No other traffic is desired into the corporate network GAD(config)#access-list 102 deny ip any any Finally, apply the access-list to the corporate network Fast Ethernet port. GAD(config)#interface ethernet1 GAD(config-if)#ip access-group 102 out 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24 Can Host A ping the Web Server? Can Host A ping Host B? Can Host B ping the Web Server? Can Host B ping Host A

Protect the DMZ Network Configure an extended access list to protect the DMZ network GAD(config)#access-list 111 permit ip 10.1.1.0 0.0.0.255 any GAD(config)#access-list 111 deny ip any any GAD(config)#interface ethernetfa0 GAD(config-if)#ip access-group 111 in Specify which traffic can enter the DMZ network. Traffic entering the DMZ network will be coming from either the Internet or the corporate network requesting World Wide Web services. Configure an outbound extended access-list specifying that World Wide Web requests be allowed into the network. GAD(config)#access-list 112 permit tcp any host 10.1.1.10 eq www What command would be entered to allow DNS, Email and FTP requests into the DMZ? For management purposes, it would be useful to let corporate users ping the Web Server but not for Internet users. GAD(config)#access-list 112 permit icmp 10.10.10.0 0.0.0.255 host 10.1.1.10 GAD(config)#access-list 112 deny ip any any GAD(config)#interface fa ethernet 0 GAD(config-if)#ip access-group 112 out 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

Deter Spoofing Spoofing - A common method to attempt to forge a valid internal source IP addresses. To deter spoofing, it is decided to configure an access list so that Internet hosts cannot easily spoof an internal network addresses. Three common source IP addresses that hackers attempt to forge are valid internal addresses (e.g., 10.10.10.0), loopback addresses (i.e.,127.x.x.x), and multicast addresses (i.e., 224.x.x.x – 239.x.x.x). GAD(config)#access-list 121 deny ip 10.10.10.0 0.0.0.255 any GAD(config)#access-list 121 deny ip 127.0.0.0 0.255.255.255 any GAD(config)#access-list 121 deny ip 224.0.0.0 31.255.255.255 any GAD(config)#access-list 121 permit ip any any GAD(config)#interface serial 0 GAD(config-if)#ip access-group 121 in 172.16.2.0/24 10.1.1.1/24 10.10.10.1/24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.