Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Published byJoseph Hall Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A."— Presentation transcript:

1 Network Perimeter Security Yu Wang

2 Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A

3 Border Router Gate to the Internet First and last line of defense Role of a router –Designed to route packets –Operates primarily on layer 3 –Able to filter packet using Access Control List Limitations on network security control

4 Router ACL Standard ACL (layer 3) –access-list 1 permit 168.223.0.0 0.0.255.255 –access-list 2 deny 192.168.0.0 0.0.0.255 Extended ACL (layer 3, 4) –access-list 101 permit tcp 168.223.0.0 0.0.255.255 host 128.186.6.14 eq www –access-list 101 deny tcp 192.168.0.0 0.0.0.255 any log –access-list 101 deny ip any any

5 Firewall What is a firewall –A network device designed to filter packets –A software application developed to do the same function Firewall operates on layer 3 – 7 Firewall is stateful –If a packet is allowed to pass, an entry is added to the state table

6 TCP States

7

8 Firewall Stateful Operations State Table –TCP out 67.76.135.17:26944 in 128.186.120.4:993 idle 23:27:42 bytes 333091 flags UfFIOB –TCP out 71.229.26.75:60849 in 128.186.120.56:22 idle 2:26:47 bytes 2074496 flags UIOB –ICMP out 192.168.25.15:512 in 128.186.120.179:0 idle 0:00:00 bytes 2048 –UDP out 64.70.24.76:53 in 128.186.120.179:1110 idle 0:00:00 flags – Stateful filtering – layer 4 and lower Stateful Inspection – all layers

9 Firewall Product Examples Hardware firewall –CISCO PIX firewall –Home router firewall Software firewall –Iptables – Linux –Ipfilter – Solaris –Windows XP

10 IPS/IDS Intrusion Prevention/Detection System –Firewall is good in packet filtering but weak in layer 7 inspection –IPS/IDS operates on layer 2-7 –IPS can do application protection, performance protection, and infrastructure protection –It uses specialized network devices designed and a database of known attack signature

11 IPS/IDS IPS examples –TippingPoint UnityOne IPS Uses “Digital Vaccine” effectively block viruses/worms, spyware, phishing, P2P, DDoS Do not replace firewall

12 IPS/IDS IPS examples –Packeteer Traffic Shaper Guarantee bandwidth availability for legitimate network traffics Control malicious network traffics Better use of existing bandwidth

13 IPS/IDS IPS examples –CISCO ASA Uses modular approach Simplifies configuration and management

14 IPS/IDS IDS examples –Snort An open source solution Low budget system suitable for organizational unit level Runs on UNIX, Linux, Windows Slower compare to ASA, TippingPoint Flexible compare to ASA, TippingPoint

15 VLAN Virtual LAN is used to do resources separation –Divide a physical network into multiple virtual networks –Network traffics in one VLAN won’t go to another VLAN by default –Inter-VLAN traffics must go through a router where ACL can be used to filter unwanted flow

16 SPAM Solution SPAM and Email virus –Email is one of the most important network services. SPAM becomes big issue for many organizations –Many commercial SPAM filtering software available. –We use GFI mailessential and GFI mailsecurity. RBL checking, Header checking, Message body checking Virus checking, Phishing checking –Also use Spamassassin, procmail, clamav –Tumbleweed Mail Email Firewall (MMS) Automatic quarantine and user release/deletion function

17 AAA Authentication –Use strong authentication methods Kerberos, SSH, PKI Authorization –Define access control –Harden network resources (servers) –Separate vulnerable servers from rest of network (DMZ) Auditing –Central log server –Log analyzer/watcher

18 Questions

Download ppt "Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Lecture 25: Firewalls Introduce several types of firewalls

Lecture 25: Firewalls Introduce several types of firewalls
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google