Presentation is loading. Please wait.

Presentation is loading. Please wait.

CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---

Published byBarry Dickerson Modified over 9 years ago

Similar presentations

Presentation on theme: "CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---"— Presentation transcript:

1 CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9

2 CPE5002 - Advanced Nework Security2 Outline n Firewalls and Load Balancing n VPN and Network Performance n NAT and Load Balancing n Network Security Architecture

3 CPE5002 - Advanced Nework Security3 Firewalls and Load Balancing n Now a day most networks have at least one or two firewalls (packet filtering and proxy firewalls). n Most networks provide mail and web services and have proxy firewalls that have to inspect several fields of every packet. n Current firewalls are designed to effectively protect networks against intrusions. However they limit performance and scalability. n They are also often single points of failure and hence can reduce network availability.

4 CPE5002 - Advanced Nework Security4 Why Firewalls Introduce Problems :E.g n Firewalls can be software based products installed on a machine with two or three network interface cards (NIC). çOne NIC connects the enterprise network to the public network (NIC ---Router---Internet). çThe second NIC is connected to the non DMZ part of the corporate network. çThe third NIC, if there is, is connected to the DMZ. n Because firewalls are deployed in the data path, by which all packets go through, they can limit network performance and scalability. n Firewalls can slow communications by having to process every packet. Eg: proxy firewalls. n Firewalls cause difficulty to the upgrade of other servers. Eg: firewalls with VPN; firewalls with Routers.

5 CPE5002 - Advanced Nework Security5 Firewalls with 3 NICs : Example NIC to Internet Internet NIC to DMZ NIC to non- DMZ DMZ router

6 CPE5002 - Advanced Nework Security6 Solutions n Some sophisticated application devices such as specialised advanced switches (called Application Switches, eg: Alteon AS, Alteon Web Switch) can reduce the problems caused by firewalls. çThose switches are built with SSL features and act as load balancers. n Application switches support, Network Layer 4 and higher Layer, switching and processing functionality, and can maintain the state of individual TCP sessions. n Vendors are also looking, beyond SSL, to integrate security features such as DoS, malicious URL blocking, and application-layer firewalling to their switches.

7 CPE5002 - Advanced Nework Security7 Solutions (e.g) n Cisco provides the L4-L7 switch/load balancer without SSL. n Nortel provides the L4-L7 switch/load balancer without SSL. n F5 Networks provides the SSL-enabled L4-L7 switches and load balancers. n Cisco Catalysts with SSL service modules. n Cisco firewall/VPN/load balancer series

8 CPE5002 - Advanced Nework Security8 Firewalls and Net Device for Load balancing: (eg) Internet balancer Private Network

9 CPE5002 - Advanced Nework Security9 Firewalls and Load Balancers n Most load balancers can provide both packet filtering and packet inspection. n Load balancers can be set up so that only desired TCP/UDP ports are load-balanced. çEg: We can set up TCP port 80 for Web traffic which provides the packet filtering functionality. n Load balancers do most of the work on the network level therefore they can keep TCP state information and make decisions based on states.

10 CPE5002 - Advanced Nework Security10 VPN and Load Balancing n How do you improve the performance of your network if it provides VPN service? çA VPN server separated from firewalls. çA VPN server integrated with a firewall.

11 CPE5002 - Advanced Nework Security11 VPN, Firewall and Load Balancer (e.g) n Symantec Firewall/VPN 200 Appliance çFeatures 8 x 10/100 MBPS LAN ç2 x 10 MBPS WAN çHigh availability çLoad balancing on 2 WAN ports n Symantec Firewall/VPN Appliance is both a firewall and a VPN solution for an efficient and secure Internet connectivity for small businesses. n A small business computer system can use IPSec gateway-to-gateway to connect to other networks and remote users can access their company's network via client-to-gateway IPSec VPN.

12 CPE5002 - Advanced Nework Security12 HotBrick Load Balancer LB-2 (2 x WAN, 4 x LAN) n Its 2 x 10/100MBPS WAN ports allows high speed access with NAPT support. çit enables port mapping of a pool of public IP addresses çProvides dynamic DNS feature for mapping of dynamic addresses to virtual servers within the LAN. n Also it provides the options to double network speed with failover feature along with its firewall feature like URL & ICMP filter, DoS attack prevention, stateful packet Inspection and group access control. VPN, Firewall and Load Balancer (e.g)

13 CPE5002 - Advanced Nework Security13 n HotBrick Firewall VPN 1200/2 (2 x WAN, 12 x LAN) ç a firewall, ç a VPN server, ç a router, ç a load balancer, ç can support up to 88 Mbps of throughput and 5000 concurrent IP sessions. ç The VPN server allows 20 VPN end-points plus compatibility with RADIUS. VPN, Firewall and Load Balancer (e.g)

14 CPE5002 - Advanced Nework Security14 NAT and Load Balancing n How do we improve network performance using load balancing associated with: çA NAT box behind a firewall. çA NAT box behind a VPN server. çA NAT box in parallel with a VPN server.

15 CPE5002 - Advanced Nework Security15 NAT and VPN and Load Balancing Borrowed from Cisco

16 CPE5002 - Advanced Nework Security16 Network Security Architectures Network Security Architecture (NSA) is very important for any medium and large network. A good architecture will not only save a company money but also provide adequate level of security and survive attacks. A guideline for a good NSA should at least include: 1. Dynamic cryptosystems. 2. Structures for adapting of new protocols. 3. Structures for full-authentication of all network elements including devices, software, protocols, users, servers, subnets, etc. 4. Structures for trusted computing systems. 5. Structures to support load balancing, availability and scalability.

17 CPE5002 - Advanced Nework Security17 NSA: Dynamic Cryptosystems n A secure network needs to support many different crypto systems. çCryptography is evolving quickly with quantum computing and ECC theory. How will your NSA live with such evolution if your system has many traditional crypto algorithms? n Future networks will be wireless communications that require different technologies and hence future networks have to be able to support many different crypto systems. çIf your NSA will support more wireless then what should it look like when you create it now? n More powerful computers and network devices will be produced in the near future and this will put a strong demand on strong authentication and crypto systems. çWhat if your corporate does not have a very powerful computer but the others do?

18 CPE5002 - Advanced Nework Security18 NSA: Adaptation of new Protocols n Many new voice, video, and other-new- formed applications will be integrated into networks, especially the Internet, hence current crypto and authentication systems will need to be upgraded. çHow can your NSA adapt a new protocol that may pose a threat to your organisation? lICR lH323 (http://www.protocols.com/pbook/h323.htm) http://www.protocols.com/pbook/h323.htm lVoIP lEtc.

19 CPE5002 - Advanced Nework Security19 NSA: A structure for Trusted Computing Systems. n Trusted computing systems exist in most of large networks, how do we structure such networks with high security? çUse digital signatures for verifying software packages, programs, functions. çUse network auditors to audit and monitor the whole network. çHow do we get all done automatically?

20 CPE5002 - Advanced Nework Security20 NSA: Load balancing, availability and scalability. n When should we think of load balancing, availability and scalability? before or after we have designed and implemented firewalls, VPNs, NAT boxes, and other network security components? n How will Intelligent Application Network Components fit in NSA? When and how the following should be done? ç Ensure continuous application availability with Layer 4 to Layer 7 load balancing? ç Ensure continuous application availability with Layer 4 to Layer 7 load balancing? çTune application infrastructure with Layer 7 content switching? çTune application infrastructure with Layer 7 content switching? çOptimise multi-site load distribution using current Global Server Load Balancing? çEnhance application performance for Web and non-Web applications? çDeliver increased application performance while reducing server workload? çAccelerate secure application delivery with SSL/IPSec?

Download ppt "CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
Firewall Configuration Strategies

Firewall Configuration Strategies
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIT5037 Advanced Network Security --- Modern Computing and Security --- Lecture 1.

FIT5037 Advanced Network Security --- Modern Computing and Security --- Lecture 1.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing

Similar presentations

Ads by Google