Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Published byDerek Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure."— Presentation transcript:

1 11 SECURING YOUR NETWORK PERIMETER Chapter 10

2 Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure network perimeters.  Implement firewalls.  Establish secure topologies.  Secure network perimeters.  Implement firewalls.

3 Chapter 10: SECURING YOUR NETWORK PERIMETER3 SECURING YOUR NETWORK PERIMETER  Secure the network perimeter, not just individual components.  Secure connections between components.  Use security zones.  Manage network traffic between security zones.  The most important zone or boundary is the Internet.  Firewalls are boundary control devices.  Secure the network perimeter, not just individual components.  Secure connections between components.  Use security zones.  Manage network traffic between security zones.  The most important zone or boundary is the Internet.  Firewalls are boundary control devices.

4 Chapter 10: SECURING YOUR NETWORK PERIMETER4 ESTABLISHING SECURE TOPOLOGIES  Secure topology is a network design.  Group devices in security zones.  Segregate network traffic.  Control the information flow.  Secure topology is a network design.  Group devices in security zones.  Segregate network traffic.  Control the information flow.

5 Chapter 10: SECURING YOUR NETWORK PERIMETER5 SECURITY ZONES  Security zones group assets with similar security requirements.  They segregate mission critical systems.  Access control mechanisms define what access is allowed between zones.  Security zones reduce the attack surface of network resources.  Security zones focus your attention on possible threats and vulnerabilities.  Security zones group assets with similar security requirements.  They segregate mission critical systems.  Access control mechanisms define what access is allowed between zones.  Security zones reduce the attack surface of network resources.  Security zones focus your attention on possible threats and vulnerabilities.

6 Chapter 10: SECURING YOUR NETWORK PERIMETER6 VIRTUAL LOCAL AREA NETWORKS (VLANS)  Used to segment a network into smaller subnetworks  Used to create security zones  Are virtual subnets  Are created by using switches  Are supported by routers  Used to segment a network into smaller subnetworks  Used to create security zones  Are virtual subnets  Are created by using switches  Are supported by routers

7 Chapter 10: SECURING YOUR NETWORK PERIMETER7 VIRTUAL LOCAL AREA NETWORKS (VLANS) (CONT.)  Restrict broadcast traffic  Are flexible and scalable  Hide the physical configuration of network  Need secure and physically protected switches  Restrict broadcast traffic  Are flexible and scalable  Hide the physical configuration of network  Need secure and physically protected switches

8 Chapter 10: SECURING YOUR NETWORK PERIMETER8 SECURING NETWORK PERIMETERS  Establish boundaries between security zones.  Separate the private network from the Internet.  Define allowed traffic that can cross the perimeter.  Use routers and firewalls to control perimeter traffic.  Filter for malicious code.  Monitor for intrusion activities.  Establish boundaries between security zones.  Separate the private network from the Internet.  Define allowed traffic that can cross the perimeter.  Use routers and firewalls to control perimeter traffic.  Filter for malicious code.  Monitor for intrusion activities.

9 Chapter 10: SECURING YOUR NETWORK PERIMETER9 ESTABLISHING NETWORK SECURITY ZONES  Place firewalls between internal and external networks.  Use multiple firewalls if you need to create multiple layers of protection.  Put Internet-accessible resources in separate network segments.  The segment between firewalls is called a perimeter network, demilitarized zone (DMZ), or screened subnet  Place firewalls between internal and external networks.  Use multiple firewalls if you need to create multiple layers of protection.  Put Internet-accessible resources in separate network segments.  The segment between firewalls is called a perimeter network, demilitarized zone (DMZ), or screened subnet

10 Chapter 10: SECURING YOUR NETWORK PERIMETER10 COMMON SECURITY ZONES  Intranet  Perimeter network  Extranet  Internet  Intranet  Perimeter network  Extranet  Internet

11 Chapter 10: SECURING YOUR NETWORK PERIMETER11 CONFIGURATION OF SECURITY ZONES

12 Chapter 10: SECURING YOUR NETWORK PERIMETER12 INTRANET  Is the primary and most sensitive security zone of an organization  Is also known as an internal network, private network, or LAN  Contains all private internal resources  Is considered a trusted network  Is vulnerable to internal attackers  Is the primary and most sensitive security zone of an organization  Is also known as an internal network, private network, or LAN  Contains all private internal resources  Is considered a trusted network  Is vulnerable to internal attackers

13 Chapter 10: SECURING YOUR NETWORK PERIMETER13 SECURING AN INTRANET  Deploy firewalls against all other networks.  Install and update antivirus solutions.  Audit and monitor online activity.  Secure systems hosting confidential data.  Manage the security of the physical infrastructure.  Deploy firewalls against all other networks.  Install and update antivirus solutions.  Audit and monitor online activity.  Secure systems hosting confidential data.  Manage the security of the physical infrastructure.

14 Chapter 10: SECURING YOUR NETWORK PERIMETER14 SECURING AN INTRANET (CONT.)  Check for unauthorized devices.  Restrict access to critical systems.  Control physical access.  Remove all unnecessary services from server systems.  Check for unauthorized devices.  Restrict access to critical systems.  Control physical access.  Remove all unnecessary services from server systems.

15 Chapter 10: SECURING YOUR NETWORK PERIMETER15 PERIMETER NETWORK  Grant controlled access to public resources  Prevent external traffic from entering intranet  Are also called DMZs or screened subnets  Are used to provide a buffer between the private trusted network and the Internet or untrusted network segments  Grant controlled access to public resources  Prevent external traffic from entering intranet  Are also called DMZs or screened subnets  Are used to provide a buffer between the private trusted network and the Internet or untrusted network segments

16 Chapter 10: SECURING YOUR NETWORK PERIMETER16 SECURING A PERIMETER NETWORK  Use firewalls to provide protection from external untrusted networks.  Remove all unnecessary services.  Audit all online activity.  Separate name resolution services.  Remove or restrict remote management services.  Carefully document and audit all physical and logical configurations.  Frequently back up data and configurations.  Use firewalls to provide protection from external untrusted networks.  Remove all unnecessary services.  Audit all online activity.  Separate name resolution services.  Remove or restrict remote management services.  Carefully document and audit all physical and logical configurations.  Frequently back up data and configurations.

17 Chapter 10: SECURING YOUR NETWORK PERIMETER17 EXTRANET  Is used for partner access to controlled resources  Is used to share information between members of multiple organizations  Requires authenticated external connections  Is often directly accessible from the Internet  Might use virtual private networks (VPNs)  Is used for partner access to controlled resources  Is used to share information between members of multiple organizations  Requires authenticated external connections  Is often directly accessible from the Internet  Might use virtual private networks (VPNs)

18 Chapter 10: SECURING YOUR NETWORK PERIMETER18 METHODS OF EXTRANET ACCESS

19 Chapter 10: SECURING YOUR NETWORK PERIMETER19 SECURING AN EXTRANET  Use firewalls to provide protection from the external network.  Authenticate all access.  Remove all unnecessary services.  Audit all network and service access.  Use firewalls to provide protection from the external network.  Authenticate all access.  Remove all unnecessary services.  Audit all network and service access.

20 Chapter 10: SECURING YOUR NETWORK PERIMETER20 PERIMETER NETWORK TYPES  Perimeter networks are established by means of firewalls.  Firewalls manage traffic across the boundaries of different security zones.  There are two common perimeter networks designs:  Three-pronged design  Back-to-back design  Perimeter networks are established by means of firewalls.  Firewalls manage traffic across the boundaries of different security zones.  There are two common perimeter networks designs:  Three-pronged design  Back-to-back design

21 Chapter 10: SECURING YOUR NETWORK PERIMETER21 THREE-PRONGED PERIMETER NETWORK DESIGN  Uses a single firewall  Connects the Internet, an intranet, and a perimeter network  Can be a single point of failure  Uses a single firewall  Connects the Internet, an intranet, and a perimeter network  Can be a single point of failure

22 Chapter 10: SECURING YOUR NETWORK PERIMETER22 THREE-PRONGED PERIMETER NETWORK

23 Chapter 10: SECURING YOUR NETWORK PERIMETER23 BACK-TO-BACK PERIMETER NETWORK DESIGN  Uses two firewalls  Is also called buffer network or screened subnet  Has no single point of failure  Supports more restrictive security rules  Increases the security of the intranet  Provides defense-in-depth protection  Uses two firewalls  Is also called buffer network or screened subnet  Has no single point of failure  Supports more restrictive security rules  Increases the security of the intranet  Provides defense-in-depth protection

24 Chapter 10: SECURING YOUR NETWORK PERIMETER24 BACK-TO-BACK PERIMETER NETWORK

25 Chapter 10: SECURING YOUR NETWORK PERIMETER25 USING AN N-TIER ARCHITECTURE  An n-tier architecture provides multiple tiers of security zones.  Each tier supports a portion of a business operation.  Traffic is controlled between each tier.  Compromise of one tier does not imply complete failure.  An n-tier architecture provides multiple tiers of security zones.  Each tier supports a portion of a business operation.  Traffic is controlled between each tier.  Compromise of one tier does not imply complete failure.

26 Chapter 10: SECURING YOUR NETWORK PERIMETER26 A 3-TIER NETWORK DESIGN

27 Chapter 10: SECURING YOUR NETWORK PERIMETER27 BASTION HOSTS  A bastion host is a single host that provides all externally accessible services.  A single firewall routes external traffic to the bastion host.  All access is tightly controlled and monitored.  This is the least secure network design.  A bastion host is a single host that provides all externally accessible services.  A single firewall routes external traffic to the bastion host.  All access is tightly controlled and monitored.  This is the least secure network design.

28 Chapter 10: SECURING YOUR NETWORK PERIMETER28 A BASTION HOST DESIGN

29 Chapter 10: SECURING YOUR NETWORK PERIMETER29 NETWORK PERIMETER SECURITY AND TRAFFIC CONTROL  Block all traffic by default.  Define exceptions for authorized traffic.  Allow only required network traffic.  Don't trust all outgoing traffic by default.  Inspect blocked traffic and track down the source.  Block all traffic by default.  Define exceptions for authorized traffic.  Allow only required network traffic.  Don't trust all outgoing traffic by default.  Inspect blocked traffic and track down the source.

30 Chapter 10: SECURING YOUR NETWORK PERIMETER30 FIREWALL FUNCTIONS  Protect a network from malicious hackers and software  Block external threats  Filter inbound and outbound traffic  Separate private networks from the Internet  Separate subnets or individual systems  Protect a network from malicious hackers and software  Block external threats  Filter inbound and outbound traffic  Separate private networks from the Internet  Separate subnets or individual systems

31 Chapter 10: SECURING YOUR NETWORK PERIMETER31 FIREWALL TYPES  Packet filtering  Application filtering  Circuit-level inspection  Stateful inspection  Content inspection  Proxy server functionality  Packet filtering  Application filtering  Circuit-level inspection  Stateful inspection  Content inspection  Proxy server functionality

32 Chapter 10: SECURING YOUR NETWORK PERIMETER32 USING PACKET FILTERING  A packet filtering firewall inspects the header of each packet.  The firewall forwards or drops each packet based on rules.  Packet filter rules focus on inbound or outbound packets.  Packet filter rules judge source or destination address, other header field content, or packet size.  Most firewalls and routers can perform packet filtering.  A packet filtering firewall inspects the header of each packet.  The firewall forwards or drops each packet based on rules.  Packet filter rules focus on inbound or outbound packets.  Packet filter rules judge source or destination address, other header field content, or packet size.  Most firewalls and routers can perform packet filtering.

33 Chapter 10: SECURING YOUR NETWORK PERIMETER33 COMMON FILTER-FOCUSED HEADER FIELDS  Source IP Address  Destination IP Address  IP Protocol ID  Source TCP or UDP Port Number  Destination TCP or UDP Port Number  Source IP Address  Destination IP Address  IP Protocol ID  Source TCP or UDP Port Number  Destination TCP or UDP Port Number

34 Chapter 10: SECURING YOUR NETWORK PERIMETER34 COMMON FILTER-FOCUSED HEADER FIELDS (CONT.)  Protocol and Port Numbers  ICMP Message Type  Fragmentation Flags  IP Options  Protocol and Port Numbers  ICMP Message Type  Fragmentation Flags  IP Options

35 Chapter 10: SECURING YOUR NETWORK PERIMETER35 A PACKET FILTERING FIREWALL

36 Chapter 10: SECURING YOUR NETWORK PERIMETER36 CIRCUIT-LEVEL INSPECTION  This type of inspection does not examine each packet.  Circuit-level inspection monitors connection establishment.  If a connection is allowed, no further restrictions are imposed.  Circuit-level inspection is more efficient than packet-filtering.  Many firewalls can perform circuit-level inspection.  This type of inspection does not examine each packet.  Circuit-level inspection monitors connection establishment.  If a connection is allowed, no further restrictions are imposed.  Circuit-level inspection is more efficient than packet-filtering.  Many firewalls can perform circuit-level inspection.

37 Chapter 10: SECURING YOUR NETWORK PERIMETER37 STATEFUL INSPECTION  Combines features of packet-filtering and circuit- level firewalls  First, restricts connections only to authorized users  Second, inspects subsequent packets to restrict traffic based on context  Combines features of packet-filtering and circuit- level firewalls  First, restricts connections only to authorized users  Second, inspects subsequent packets to restrict traffic based on context

38 Chapter 10: SECURING YOUR NETWORK PERIMETER38 APPLICATION LAYER FILTERING  Examines the content or payload of packets  Inspects packets based on the application used  Requires complex rules  Can detect a wide range of attacks and malicious code  Has slower performance than other methods  Examines the content or payload of packets  Inspects packets based on the application used  Requires complex rules  Can detect a wide range of attacks and malicious code  Has slower performance than other methods

39 Chapter 10: SECURING YOUR NETWORK PERIMETER39 TUNNELING  Tunneling is a technique used to bypass a firewall’s inspection mechanisms.  Tunneling encapsulates network packets in allowed network traffic.  Encryption is a common tunneling option.  If content inspection is not possible, an intrusion detection system (IDS) might be needed.  Tunneling is a technique used to bypass a firewall’s inspection mechanisms.  Tunneling encapsulates network packets in allowed network traffic.  Encryption is a common tunneling option.  If content inspection is not possible, an intrusion detection system (IDS) might be needed.

40 Chapter 10: SECURING YOUR NETWORK PERIMETER40 PROXY SERVERS  Is a circuit-level or application layer operation  Accepts connections from clients  Establishes a distinct connection to external servers  Has no direct connection between client and server  Supports content checking and resource caching  Is a circuit-level or application layer operation  Accepts connections from clients  Establishes a distinct connection to external servers  Has no direct connection between client and server  Supports content checking and resource caching

41 Chapter 10: SECURING YOUR NETWORK PERIMETER41 A PROXY SERVER

42 Chapter 10: SECURING YOUR NETWORK PERIMETER42 NETWORK ADDRESS TRANSLATION (NAT)  Allows multiple internal clients to access the Internet over a few public leased addresses  Converts and manages traffic through translation of IP addresses and port numbers  Allows use of the private IP addresses (10.x.x.x, 172.16.x.x–172.31.x.x, and 192.168.x.x)  Hides the internal network structure and address scheme  Prevents external entities from directly accessing internal clients  Allows multiple internal clients to access the Internet over a few public leased addresses  Converts and manages traffic through translation of IP addresses and port numbers  Allows use of the private IP addresses (10.x.x.x, 172.16.x.x–172.31.x.x, and 192.168.x.x)  Hides the internal network structure and address scheme  Prevents external entities from directly accessing internal clients

43 Chapter 10: SECURING YOUR NETWORK PERIMETER43 NAT VARIATIONS  Static NAT  Dynamic NAT  Port address translation (PAT)  Static NAT  Dynamic NAT  Port address translation (PAT)

44 Chapter 10: SECURING YOUR NETWORK PERIMETER44 FIREWALL ISSUES  Misconfiguration is a common cause of firewall failure.  Avoid default-allow and a default-deny rules.  Manage the rule execution order.  Keep firewalls patched and updated.  Misconfiguration is a common cause of firewall failure.  Avoid default-allow and a default-deny rules.  Manage the rule execution order.  Keep firewalls patched and updated.

45 Chapter 10: SECURING YOUR NETWORK PERIMETER45 FIREWALL VULNERABILITIES  Compromising the firewall management console or password  Circumventing the firewall  Physically tampering with the firewall  Creating outbound connections  Compromising the firewall management console or password  Circumventing the firewall  Physically tampering with the firewall  Creating outbound connections

46 Chapter 10: SECURING YOUR NETWORK PERIMETER46 SECURING FIREWALLS  Keep current on vendor-released information on your firewall.  Keep the firewall patched and updated.  Keep virus scanners updated.  Maintain physical access control.  Document the firewall configuration.  Keep current on vendor-released information on your firewall.  Keep the firewall patched and updated.  Keep virus scanners updated.  Maintain physical access control.  Document the firewall configuration.

47 Chapter 10: SECURING YOUR NETWORK PERIMETER47 SECURING FIREWALLS (CONT.)  Restrict management access.  Use complex passwords.  Test the firewall's filters and rules.  Look for bypasses or circumventions of the firewall's security.  Restrict management access.  Use complex passwords.  Test the firewall's filters and rules.  Look for bypasses or circumventions of the firewall's security.

48 Chapter 10: SECURING YOUR NETWORK PERIMETER48 SUMMARY  Security zones divide parts of the network that have different security requirements.  VLANs are a method for dividing a single physical network into separate broadcast domains.  Typical security zones are intranets, extranets, perimeter networks, and the Internet. Firewalls are often used to control traffic between these security zones.  Security zones divide parts of the network that have different security requirements.  VLANs are a method for dividing a single physical network into separate broadcast domains.  Typical security zones are intranets, extranets, perimeter networks, and the Internet. Firewalls are often used to control traffic between these security zones.

49 Chapter 10: SECURING YOUR NETWORK PERIMETER49 SUMMARY (CONT.)  The two most commonly used firewall topologies are the back-to-back design and the three-pronged design. A back- to-back design provides multiple layers of protection. The bastion host design provides the lowest level of security.  Firewalls differ in the features that they provide. Common features are packet filtering, circuit-level inspection, stateful inspection, application layer filtering, and proxy server functionality.  NAT allows multiple computers to communicate with the Internet by using a single routable IP address or a range of IP addresses. The main security benefit of NAT is that it hides hosts from the Internet.  The two most commonly used firewall topologies are the back-to-back design and the three-pronged design. A back- to-back design provides multiple layers of protection. The bastion host design provides the lowest level of security.  Firewalls differ in the features that they provide. Common features are packet filtering, circuit-level inspection, stateful inspection, application layer filtering, and proxy server functionality.  NAT allows multiple computers to communicate with the Internet by using a single routable IP address or a range of IP addresses. The main security benefit of NAT is that it hides hosts from the Internet.

Download ppt "11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Network Security Philadelphia UniversityAhmad Al-Ghoul 2010-20111 Module 11 Exploring Secure Topologies  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversityAhmad Al-Ghoul Module 11 Exploring Secure Topologies  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Similar presentations

Ads by Google