Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection.

Published bySolomon Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection."— Presentation transcript:

1 April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection Network Presented By Parvathy Subramanian

2 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 2 Agenda ► Introduction ► Fundamental IPN concepts ► Enterprise Security principles ► Implementing IPN’s with complex security  Integrated IPN  Virtual IPN  Connectivity policy (uncontrolled network connection)  Nested IPN configuration ► Enterprise information in the IPN ► IPN Technology components

3 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 3 Introduction ► Information protection requires an in-depth risk-based approach involving network, host, and application security, which together constitute a defense-in-depth approach to information protection [1] ► DMZ provides network layer security from untrusted network via an intermediary network charged with granting or denying access to external hosts and ports within the enterprise network. ► Hosts within the enterprise network provides the second level network security ► Finally, Applications within the hosts provide the final layer of defense. ► Risk = threat * vulnerability * value  Threat and vulnerability are real numbers between (0,t) and (0,v)  Value is represented in dollars. It ranges between ($0, $n).

4 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 4 Enterprise security core principles and supporting requirements

5 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 5 Fundamental IPN (Information Protection Network) Concepts A typical IPN separates trusted network and external network. The trusted network is connected to an internal router. The External network is connected to an external router.

6 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 6 Fundamental IPN (Information Protection Network) Concepts The public access server and DNS can be accessed and responds to requests from external network. They cannot initiate any outbound sessions. All these controls involves authentication. Some servers are needed to support IPN security function.

7 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 7 Enterprise Security Principles ► “Never assume that another component of the IPN is completely trusted to perform its intended function with 100% reliability.”  Example: It’s the responsibility of the external router to permit external network DNS query request and nothing else to the DNS server. ► ► “The IPN and all its components constitute a security system, and it should be managed accordingly — as a system, not a collection of independent components”.  Example: A group of staff are responsible for administration of DNS host/service. Each individuals should work together and there should be some coordination mechanism built into change control process.

8 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 8 Implementing IPN’s with complex security ► Large enterprise is composed of several geographically distributed campus network. ► IPN Principle:  The IPN can be used to implement an array of department wide mandatory and recommended baseline security policies and practices, as well as those that might be site specific or used by the site to augment the department wide direction or guidelines.[1] ► IPN is used to:  Control the flow of traffic through it.  Hide local site details.  Facilitate protection of data in transit.  Monitor network activities.  Resist unauthorized use of site resources.  Protect the site and itself from unauthorized change.

9 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 9 Integrated IPN ► Same physical facility and equipment are used to protect both the networks ► One router can be configured as two virtual router. Or use just a single router with complex access control policies

10 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 10 Virtual IPN ► From the equipment and the circuit perspective there are 2 separate IPN ► From the system’s perspective there is only one virtual IPN ► Less efficient, but appropriate depending on the site and organizational structure of the enterprise

11 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 11 Connectivity policy (Uncontrolled network connection) ► Network A and B have different security policies ► Data flow between them should be mediated via an IPN ► Direct connectivity compromises the information security ► There is no “Stronger than” relation between network A and B. ► Clearly, there is an expose to vulnerabilities, even though the IPN protect each according to its own needs.

12 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 12 Nested IPN ► Most often there is a “stronger than” relationship that exist between two networks. ► In such case clear and formal agreement should be specified between the directly adjacent network, particularly to ingress policy. ► Egress policy is solely within the control of a single network.

13 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 13 Enterprise information in the IPN ► IPN along with security measures, also provides a means for information and application sharing between the enterprises and/or the business partners. ► With the introduction of private business data into the IPN, extra diligence should be given to security measures. ► Strict configuration change control procedure should be maintained and trained security professionals should be part of IPN mgnt team. ► Clear separation of roles should be ensured, so that security is not compromised in a misguided attempt to satisfy a single business need.

14 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 14 ► IPN implementation includes network zones. This includes both security and business components ► Example: Access to restrictive zone is limited to site users whose roles is to manage and maintain business application. ► Ingress to public zone is permitted if the source is from restrictive zone. ► Its denied otherwise. ► Strong authentication should be provided for ingress policies that are allowing access to the restrictive zone.

15 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 15 IPN Technology components IPN Tech. components Connectivity Component Security Components Network and Application systems Example: Switches, Routers, Load balancers, DNS Systems designed to ensure: Confidentiality Integrity Availability Example: Firewall, Intrusion detection system, SSL, VPN

16 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 16 ► Router:  A pair of routers serve as the demarcation point of an IPN environment. It also provides a set of ACL defining the ingress and egress policies.  The ACL should explicitly deny all other traffic.  Router based ACLs are extremely important to the IPN, they are the first line of defense against all unknown security threats. ► Switching:  IPN’ are highly dependent upon the layer-two switches for primary network connectivity.  Problems related to switches in IPN network are related to human errors.  VLAN technology is commonly employed in IPN environment to provide logical separation using shared security and network connectivity hardware.  Zones in the IPN can be implemented using VLAN technology. Connectivity Components

17 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 17 Security Components ► Firewalls:  Stateful inspection devices.  Monitors bi-directional traffic to ensure compliance with predefined security policies.  They take specific action like session termination, redirection, logging and alarms in response to unauthorized traffic. ► Intrusion Detection Systems:  Based on the capabilities and policies, an IDS can decode any malicious traffic flow.  IDS devices are placed inside, outside and on each host of an IPN.  Suspected events are consolidated, normalized and correlated for real-time analysis.

18 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 18 Security Components (Cont..) ► Intrusion Prevention Systems:  It’s a hybrid between firewall and IDS.  It functions as a IDS, but can be placed with the network devices like firewall. ► Domain Name Services:  Provides name resolution service  Provides local and geographical load distribution.  Split DNS is implemented to hide internal hostnames from external views. ► Web cache and reverse proxy: ► Business Continuity: Disaster recovery

19 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 19 Conclusion ► Final goal is to provide simple and secure IPN environment. ► Scalability and expansion to accommodate growth should be allowed. ► Performance, Availability and scalability are extremely important for a successful implementation of an IPN.

20 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 20 Reference ► [1] Enterprise information systems assurance and system security Managerial and Technical issues, Merrill Warkentin and Rayford B. Vaughn. ► [2] http://en.wikipedia.org/wiki/

21 April 09, 2008The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 21 Questions

Download ppt "April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Security Controls – What Works

Security Controls – What Works
Firewall Configuration Strategies

Firewall Configuration Strategies
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Similar presentations

Ads by Google