Network Security Topologies

1
Network Security Topologies

• Chapter 11

2
Learning Objectives

• Explain network perimeters importance to an
  organizations security policies
• Identify place and role of the demilitarized zone
  in the network
• Explain how network address translation is used
  to help secure networks
• Spell out the role of tunneling in network
  security
• Describe security features of virtual local area
  networks

3
Perimeter Security Topologies

• Put in place using firewalls and routers on
  network edge
• Permit secure communications between the
  organization and third parties
• Key enablers for many mission-critical network
  services
• Include demilitarized zones (DMZs) extranets, and
  intranets

continued
4
Perimeter Security Topologies

• Selectively admit or deny data flows from other
  networks based on several criteria
• Type (protocol)
• Source
• Destination
• Content

5
Three-tiered Architecture

• Outermost perimeter
• Internal perimeters
• Innermost perimeter

6
(No Transcript)
7
Outermost Perimeter

• Router used to separate network from ISPs
  network
• Identifies separation point between assets you
  control and those you do not
• Most insecure area of a network infrastructure
• Normally reserved for routers, firewalls, public
  Internet servers (HTTP, FTP, Gopher)
• Not for sensitive company information that is for
  internal use only

8
Internal Perimeters

• Represent additional boundaries where other
  security measures are in place

9
Network Classifications

• Trusted
• Semi-trusted
• Untrusted

10
Trusted Networks

• Inside network security perimeter
• The networks you are trying to protect

11
Semi-Trusted Networks

• Allow access to some database materials and
  e-mail
• May include DNS, proxy, and modem servers
• Not for confidential or proprietary information
• Referred to as the demilitarized zone (DMZ)

12
Untrusted Networks

• Outside your security perimeter
• Outside your control

13
(No Transcript)
14
Creating and Developing Your Security Design

• Know your enemy
• Count the cost
• Identify assumptions
• Control secrets
• Know your weaknesses
• Limit the scope of access
• Understand your environment
• Limit your trust

15
DMZ

• Used by a company to host its own Internet
  services without sacrificing unauthorized access
  to its private network
• Sits between Internet and internal networks line
  of defense, usually some combination of firewalls
  and bastion hosts
• Traffic originating from it should be filtered

continued
16
DMZ

• Typically contains devices accessible to Internet
  traffic
• Web (HTTP) servers
• FTP servers
• SMTP (e-mail) servers
• DNS servers
• Optional, more secure approach to a simple
  firewall may include a proxy server

17
(No Transcript)
18
DMZ Design Goals

• Minimize scope of damage
• Protect sensitive data on the server
• Detect the compromise as soon as possible
• Minimize effect of the compromise on other
  organizations

19
(No Transcript)
20
Intranet

• Either a network topology or application (usually
  a Web portal) used as a single point of access to
  deliver services to employees
• Typically a collection of all LANs inside the
  firewall
• Shares company information and computing
  resources among employees

continued
21
Intranet

• Allows access to public Internet through
  firewalls that screen communications in both
  directions to maintain company security
• Also called a campus network

22
Extranet

• Private network that uses Internet protocol and
  public telecommunication system to provide
  various levels of accessibility to outsiders
• Can be accessed only with a valid username and
  password
• Identity determines which parts of the extranet
  you can view

continued
23
Extranet

• Requires security and privacy
• Firewall management
• Issuance and use of digital certificates or other
  user authentication
• Encryption of messages
• Use of VPNs that tunnel through the public network

24
Network Address Translation (NAT)

• Internet standard that enables a LAN to use one
  set of IP addresses for internal traffic and a
  second set for external traffic
• Able to translate addresses contained in an IP
  packet

25
Main Purposes of NAT

• Provide a type of firewall by hiding internal IP
  addresses
• Enable a company to use more internal IP addresses

26
NAT

• Most often used to map IPs from nonroutable
  private address spaces defined by RFC 1918
• Static NAT and dynamic NAT
• Port Address Translation (PAT)
• Variation of dynamic NAT
• Allows many hosts to share a single IP address by
  multiplexing streams differentiated by TCP/UDP
  port numbers
• Commonly implemented on SOHO routers

27
Tunneling

• Enables a network to securely send its data
  through untrusted/shared network infrastructure
• Encrypts and encapsulates a network protocol
  within packets carried by second network
• Best-known example virtual private networks
• Replacing WAN links because of security and low
  cost
• An option for most IP connectivity requirements

28
Example of a Tunnel
29
Virtual Local Area Networks (VLANs)

• Deployed using network switches
• Used throughout networks to segment different
  hosts from each other
• Often coupled with a trunk, which allows switches
  to share many VLANs over a single physical link

30
Benefits of VLANs

• Network flexibility
• Scalability
• Increased performance
• Some security features

31
(No Transcript)
32
(No Transcript)
33
Security Features of VLANs

• Can be configured to group together users in same
  group or team
• Offer some protection when sniffers are inserted
  into the network
• Protect unused switch ports
• Use an air gap to separate trusted from untrusted
  networks

34
Vulnerabilities of VLAN Trunks

• Trunk autonegotiation
• Prevention Disable autonegotiation on all ports
• Trunk VLAN membership and pruning
• Prevention Manually configure all trunk links
  with the VLANs that are permitted to traverse them

35
Chapter Summary

• Technologies used to create network topologies
  that secure data and networked resources
• Perimeter networks
• Network address translation (NAT)
• Virtual local area networks (VLANs)

36
Honey Pots

• Back