Presentation is loading. Please wait.

Presentation is loading. Please wait.

How topology decisions affect speed/availability/security/cost/etc. Network Topology.

Published byJulia Marsha Richards Modified over 9 years ago

Similar presentations

Presentation on theme: "How topology decisions affect speed/availability/security/cost/etc. Network Topology."— Presentation transcript:

1 How topology decisions affect speed/availability/security/cost/etc. Network Topology

2 Metrics for judging network design Cost $$$ Bandwidth Maintenance hours Clock cycles Electricity Space Cooling requirements Others... Security Confidentiality Integrity Availability Authenticity Non-repudiation Biggest design trade-off: Availability vs. Confidentiality

3 Dynamic vs. static addressing * Recommended settings: All workstations dynamic, all servers static. Workstation Webserver Fileserver Workstation Dynamic addresses: Allow machines to be easily added and removed Simplifies management, reduces errors Static addresses: Must/should be used for some servers Reduces traffic for other servers (e.g. arp queries, DNS lookups) Can be set in /etc/network/interfaces file DHCP server Dynamic Static DNS server Static Either (Static recommended. Dynamic possible with discovery/DNS.) Mailserver Either (Static recommended. Dynamic possible with DNS.) Gateway Router Static

4 Network “Attack Surface” * Each available port is theoretically open to attack ISP/Internet Webserver DNS server Switch Router w/o NAT IP: 5.5.5.5 IP: 5.5.5.100 Ports: 1-65535 IP: 5.5.5.101 Ports: 1-65535 ISP/Internet Switch Router w/ NAT IP: 5.5.5.5 IP: 5.5.5.100 Ports: 80, 443 IP: 5.5.5.101 Port: 53 Workstation IP: 5.5.5.102 Ports: 1-65535 Webserver DNS server Workstation IP: 5.5.5.102 Ports: None

5 Basic Network Attacks “Front door” vs. “Back door” “Front door” attack originates from outside the network. Assume that the only open port on the router is 80, which goes to webserver 1. Attacker finds an exploitable bug in the webserver. 2. Attacker sends a packet that contains code that creates a shell between attacker and webserver 3. Attacker uses the shell to “pivot” to the workstation and fileserver Workstation ISP/Internet Webserver Fileserver Switch Router w/ NAT * “Pivot” – to attack a device and gain a foothold (e.g. a shell) then use that foothold to attack other visible devices (ssh/telnet/metasploit/etc.).

6 Basic Network Attacks “Front door” vs. “Back door” “Back door” attack originates from inside the network. 1. Attacker sends an email with a malicious attachment 2. A workstation user clicks the attachment and runs the code 3. The code opens a connection to the hacker 4. The hacker now has a shell on the workstation and can install more software or pivot to other machines Workstation ISP/Internet Webserver Fileserver Switch Router w/ NAT

7 Most basic topology * All servers & workstations in the ISP’s subnet * All IPs are visible to Internet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/o NAT WAP* * (WAP)Wireless Access Point PRO: All IPs are easily accessible from anywhere in the world (Maximum Availability) Low hardware costs CON: All IPs are easily accessible from anywhere in the world (Minimum Confidentiality) Can access every port on every IP remotely Very large attack surface Cost of buying one IP address for each device

8 Adding NAT * All servers & workstations in a single private subnet * Subnet IPs are hidden from Internet * The subnet appears as a single IP address for the router Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: Much smaller attack surface than previous slide Only a few IP/port pairs are accessible through router CON: All IPs are in the same subnet. An attacker who pwns one box can pivot to the others.

9 Multiple isolated networks * Public servers are in blue subnet * Private servers & workstations are in green subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: An attack against one network will not grant access to the other CON: Extra Internet IP address is required Extra routers, switches, licenses, etc. are required Maintenance-intensive Difficult to give special priviliges on bluenet from greennet machines Switch Router w/ NAT Router w/ NAT

10 One network with a DMZ * Public servers are in blue subnet * Private servers & workstations are in green subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: An attack against the public webserver will not grant access to workstations or the private fileserver CON: An extra router is required “Double-NATing” of green subnet Complexity increases chance of misconfigurations Fileserver no longer available from outside LAN WAP is a big target for attacks – will allow attacker to pivot to fileserver or workstations Switch Router w/ NAT

11 Moving WAP to DMZ * Wireless devices can now only connect to the public (blue) subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: An attacker can no longer access the private fileserver after attacking the WAP (Confidentiality UP) CON: Mobile users no longer have access to the private fileserver (Availability DOWN) Attacker can still pivot from WAP to webserver Switch Router w/ NAT

12 Single router with multiple subnets * WAP is moved to its own (purple) subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: Increased separation of devices makes it difficult for attacker to pivot Fewer routers CON: More complex & expensive router required Router rules are more complex, easier to misconfigure

13 How many server applications per physical server? Webserver, Fileserver, DNS, DHCP, FTP Webserver PRO: Fewer physical servers to buy & maintain Reduced cost, space, electrical req. Security: Only one box to patch Fewer passwords to forget Fileserver DNS DHCP FTP PRO: Can buy smaller servers for each task Can put servers in different subnets Security: Only 2-3 ports open per machine Much easier to find attacks in logfiles & create firewall rules A successful attack against one service does not grant control over all services

14 Initial plan for class networks * Each group of 4 will build the following: Workstation SI455 internet Webserver Fileserver Switch Workstation Router w/ NAT Bluenet: Public – services available to other groups Greennet: Private – services available only to user workstations Switch Router w/ NAT DNS FTP Workstation DHCP Authentication Server Email server

Download ppt "How topology decisions affect speed/availability/security/cost/etc. Network Topology."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Small Office Service Serial Router Connects Internal Stations to Shared Broadband Access Service Small Office Serial Router Shared Broadband Line ISP.

Small Office Service Serial Router Connects Internal Stations to Shared Broadband Access Service Small Office Serial Router Shared Broadband Line ISP.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Wi-Fi Structures.

Wi-Fi Structures.
Subnetting.

Subnetting.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
A Guide to major network components

A Guide to major network components

Similar presentations

Ads by Google