Securing an Extranet - PowerPoint PPT Presentation

About This Presentation
Title:

Securing an Extranet

Description:

Securing an Extranet Identifying Common Firewall Strategies Securing Internet-Accessible Resources in a Demilitarized Zone (DMZ) Securing Data Flow Through a DMZ – PowerPoint PPT presentation

Number of Views:150
Avg rating:3.0/5.0
Slides: 102
Provided by: highe1
Category:

less

Transcript and Presenter's Notes

Title: Securing an Extranet


1
Securing an Extranet
  • Identifying Common Firewall Strategies
  • Securing Internet-Accessible Resources in a
    Demilitarized Zone (DMZ)
  • Securing Data Flow Through a DMZ

2
Identifying Common Firewall Strategies
  • Identifying firewall features to protect the
    extranet
  • Comparing DMZ configurations

3
Firewall Overview
4
Firewall Services
  • Network Address Translation (NAT)
  • Packet filtering
  • Static address mapping
  • Stateful inspection of network traffic
  • Advanced features

5
Protecting Private Network Addressing with NAT
6
Private Network Addressing
  • RFC 1918 reserves three ranges of IP addresses
    for private network addressing
  • 10.0.0.0 10.255.255.255 (10.0.0.0/8)
  • 172.16.0.0 172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0 192.168.255.255 (192.168.0.0/16)

7
Packet Filters
8
Typical Packet Filter Fields
  • Source address
  • Source port
  • Destination address
  • Destination port
  • Protocol
  • Action

9
Port Numbers
  • To determine what ports are used by specific
    services and applications, view the Services text
    file in the systemroot\system32\drivers\etc
    folder.
  • To view a listing of well-known port numbers, go
    to www.isi.edu/in-notes/iana/assignments
    /port-numbers.

10
Mirroring Packet Filters
11
Firewall Strategies
  • Choose one of the following typical firewall
    strategies, based on the organization's risk
    level.
  • Specify allowed protocols and prohibit everything
    else.
  • Specify prohibited protocols and allow everything
    else.
  • Higher security networks specify the allowed
    protocols and prohibit everything else.

12
Static Address Mapping
13
Stateful Inspection
  • Simple packet filters might not provide enough
    security.
  • Packet filters define which ports are left open
    at the firewall to redirect network traffic to
    Internet-accessible resources.
  • Many protocols use random ports above port 1024
    at the client computer side.
  • Stateful inspection allows the firewall to
    inspect and open the ports used for an initial
    connection and then close them when the
    connection is terminated.
  • If any suspect ports are requested, the firewall
    can recognize the attack and drop the connection.
  • Stateful inspection allows firewall rules to be
    established so that User Datagram Protocol
    (UDP)-based protocols (such as SNMP) can pass
    through successfully.

14
Advanced Techniques
  • Configuring time-out tolerance
  • Allows the firewall to disconnect sessions before
    the synchronize (SYN) queue overflows
  • Impedes SYN flood attacks, which attempt to lock
    up the firewall and prevent further connections
    by flooding it with incomplete Transmission
    Control Protocol (TCP) sessions
  • Content scanning
  • Allows the firewall to inspect the commands
    transmitted within a session
  • Can also scan all incoming content for known
    virus signatures

15
Making the Decision Designing Firewall Features
  • NAT
  • Packet filters
  • Static address mapping
  • Stateful inspection
  • Time-out tolerances
  • Content scanning

16
Applying the Decision Designing the Market
Florists Firewall
  • NAT
  • The private network client computers require
    access to the Internet.
  • All outgoing IP addresses will be replaced with
    the NAT common address (client.marketflorist.tld
    IP address 131.107.88.2).
  • Packet filters
  • Packet filtering must be defined to allow only
    the authorized protocols to connect to each
    network resource.
  • Several protocols are allowed to enter the
    extranet for each Market Florist server.

17
Applying the Decision Designing the Market
Florists Firewall (Cont.)
  • Static address mapping
  • www.marketflorist.tld
  • ftp.marketflorist.tld
  • mail.marketflorist.tld
  • vpn.marketflorist.tld
  • Stateful inspection
  • Flower Power uses UDP as its transport protocol.
  • UDP-based applications do not establish sessions.
  • Stateful inspection ensures that the Flower Power
    connections are not hijacked.
  • Stateful inspection ensures that all response
    packets use the same IP addresses and UDP ports
    that were used by the initial request packets.

18
Applying the Decision Designing the Market
Florists Firewall (Cont.)
  • Time-out tolerance
  • Time-outs disconnect sessions to protect the Web
    site and other extranet resources from a denial
    of service attack.
  • Time-out tolerance prevents SYN flooding attacks
    against the network.
  • Content scanning
  • To prevent uploads of data to the MFFTP server,
    the firewall should deploy content scanning and
    prevent all attempts to use the FTP PUT command.
  • This provides greater protection by scanning the
    File Transfer Protocol (FTP) transmissions for
    disallowed commands.

19
Comparing DMZ Configurations
  • It is unadvisable to host Internet-accessible
    resources within the private network.
  • Place all Internet-accessible resources in a
    network segment (called a DMZ) between the
    private network and the public network.
  • Other terms for DMZ are screened subnet and
    perimeter network.
  • There are three types of DMZ designs
    three-pronged firewall, mid-ground, and hybrid
    (or multizone).
  • A DMZ is part of the public and private network.

20
A Three-Pronged Firewall DMZ
21
A Mid-Ground DMZ
22
A Hybrid DMZ with a Single Firewall
23
A Hybrid DMZ with Multiple Firewalls
24
Making the DecisionChoosing Among DMZ
Strategies
  • Three-pronged firewall DMZ
  • Mid-ground DMZ
  • Hybrid DMZ

25
Applying the Decision Developing a DMZ Strategy
for Market Florist
26
Securing Internet-Accessible Resources in a DMZ
  • Securing Internet Information Server (IIS)
  • Securing other services within the DMZ

27
Securing Internet Information Server (IIS)
  • The content on a Web server is the most common
    network resource exposed to the Internet.
  • IIS 5.0, included with Microsoft Windows 2000
    Server, allows an organization to host Web sites.
  • Additional configuration is required to fully
    secure an IIS server when it is exposed to the
    Internet.

28
Preventing Attacks Against the Web Servers
  • Change all default account names.
  • Ensure that the Web server is not a member of the
    same forest as the private network.

29
Preventing Attacks Against the Web Servers (Cont.)
  • Separate content into different folders by type.

30
Preventing Attacks Against the Web Servers (Cont.)
  • Secure available content by type.

31
Preventing Attacks Against the Web Servers (Cont.)
  • Remove all sample applications from the Web
    server.

32
Preventing Attacks Against the Web Servers (Cont.)
  • Disable unnecessary services.
  • Block commonly attacked ports with Internet
    Protocol Security (IPSec).
  • Enable IIS logging.
  • Implement Secure Socket Layer (SSL) to protect
    secure areas of the Web server.
  • Deploy an intrusion detection system.
  • Disable the use of parent paths.
  • Apply the IIS 5.0 security checklist.
  • Mitigate against successful attacks.
  • Maintain the latest service packs and hot fixes
    for the Web server.

33
Making the Decision Securing a Web Server
  • Track all access to the Web server.
  • Provide the strongest security to Web-accessible
    data.
  • Prevent an attacker from accessing unauthorized
    areas of the disk subsystem.
  • Prevent port scans against commonly attacked
    ports.
  • Detect hacking attempts.
  • Prevent a successful attack against the Web
    server from compromising other data stored on the
    network.
  • Ensure that the latest security fixes are applied
    to the Web server.
  • Limit the effect of a successful hacking attempt.
  • Apply the recommended security configuration for
    the Web server.

34
Applying the Decision Configuring the Web Server
for Market Florist
  • Configure the Web server as a Network Load
    Balancing Service (NLBS) cluster.
  • Configure the NLBS cluster to load balance
    equally among the four nodes.
  • Apply any additional security configurations
    uniformly against all four servers.

35
Applying the Decision Configuring the Web Server
for Market Florist (Cont.)
  • Configuration for the four Web servers
  • Enable auditing on each Web server.
  • Separate the content from the rest of the Web
    site.
  • Implement SSL on the Web server.
  • Apply Internet Protocol Security (IPSec) to
    restrict public network access to the Web server.
  • Apply the IIS 5.0 security checklist
    recommendations to the IIS servers.

36
Applying the Decision Configuring the Web Server
for Market Florist (Cont.)
  • Recommended IPSec filters

37
Securing Other Services Within the DMZ
  • FTP services
  • Telnet services
  • Domain Name System (DNS) services
  • Terminal Services
  • All services

38
Protect Transmitted Data Between Computers in the
DMZ
39
Making the Decision Protecting
Internet-Accessible Resources
  • Protect the following resources
  • FTP services
  • Telnet services
  • DNS services
  • All services
  • Interaction between servers

40
Applying the Decision Protecting
Internet-Accessible Resources at Market Florist
  • Implement the following resources
  • FTP service
  • DNS service
  • Telnet services
  • Terminal Services
  • Interaction between servers

41
Securing Data Flow Through a DMZ
  • Determining a firewall strategy
  • Securing DNS resolution traffic
  • Securing Web traffic
  • Securing FTP traffic
  • Securing mail traffic
  • Securing application traffic
  • Securing Terminal server traffic
  • Securing VPN traffic

42
Specify Allowed Protocols and Prohibit Everything
Else
  • The packet filters identify all protocols that
    can pass through the firewall.
  • If the packet filter does not identify a packet,
    the packet is assumed to be disallowed and is
    dropped.
  • This strategy is typically used at external
    firewalls to define which protocols are allowed
    to enter the DMZ and the private network.
  • This strategy is also used in high-security
    networks where only authorized protocols are
    allowed to enter the DMZ and the private network.

43
Specify Prohibited Protocols and Allow Everything
Else
  • The packet filters identify all protocols that
    must be dropped at the firewall.
  • If the packet filter does not identify a packet,
    the packet is allowed to pass through the
    firewall.
  • This strategy is typically used at internal
    firewalls to block private network users from
    specific protocols.
  • This strategy is also used in lower security
    networks where only unauthorized protocols are
    blocked at the firewall.

44
Order of the Packet Filters
  • The order of processing depends on the specific
    firewall product.
  • Two common methods for processing packet filters
  • Process the packet filters in the order in which
    they are entered.
  • Process the most specific packet filters before
    the more general packet filters.

45
Making the Decision Choosing Firewall Strategies
  • The "Specify allowed protocols and prohibit
    everything else" strategy
  • The "Specify prohibited protocols and allow
    everything else" strategy
  • The "Specify allowed protocols and prohibit
    everything else strategy and then create packet
    filters that deny specific protocols

46
Applying the Decision Choosing a Firewall
Strategy for Market Florist
  • The "Specify allowed protocols and prohibit
    everything else" strategy best meets the security
    needs of the Market Florist network.
  • It allows Market Florist to define only
    authorized protocols that can enter the DMZ and
    the private network.
  • If a protocol is not included in the packet
    filter list, the protocol is assumed to be denied
    access to the DMZ or private network.

47
Securing DNS Resolution Traffic
  • The DNS service is used as a locator service in a
    Microsoft Windows 2000 network.
  • DNS is also used as the locator service for the
    Internet.
  • When designing security for the DNS service,
    define how DNS traffic moves through the private
    network and the DMZ to the Internet.
  • Separate the internal DNS service from the
    external DNS service.

48
DNS Traffic Flow in a DMZ
49
Internal Firewall Rules to Restrict DNS Usage
50
External Firewall Rules to Restrict DNS Usage
51
Making the Decision Securing DNS Resolution
Traffic
  • Establish packet filters at the external firewall
    to allow only TCP port 53 and UDP port 53 packets
    to reach the DNS server.
  • Establish packet filters at the internal firewall
    to allow only the internal DNS server to send TCP
    port 53 and UDP port 53 packets to the external
    DNS server.
  • Configure the internal DNS server to forward all
    irresolvable DNS queries to the external DNS
    server.
  • Configure the external DNS server to forward
    irresolvable DNS queries to the ISPs DNS server.

52
Applying the Decision Securing DNS Resolution
Traffic at Market Florist
53
Securing Web Traffic
  • A Web server is one of the most common network
    resources for Internet access.
  • A Web server listens for connections from
    external client computers on TCP port 80 for HTTP
    and port 443 for HTTPS connections.

54
Web Server Placement in the DMZ
55
External Packet Filters for a Web Server
56
Making the Decision Securing Web Traffic
  • Establish packet filters at the external firewall
    to allow only TCP port 80 and TCP port 443
    packets to reach the Web server.
  • Implement SSL protection for Web pages that
    require external users to input sensitive data.
  • When authentication is required to a Web site,
    use either Windows Integrated Authentication or
    Basic Authentication with SSL encryption to
    protect credentials from interception.

57
Applying the Decision Securing Web Traffic for
Market Florist
58
Securing FTP Traffic
  • FTP allows data to be transferred to and from a
    central location.
  • FTP uses two separate channels for FTP sessions.
  • A control stream (a connection to TCP port 21)
    sends FTP commands from the FTP client software
    to the FTP server.
  • A data stream (a connection to TCP port 20)
    transfers data.
  • Active FTP clients require the FTP server to
    initiate the data transfer.
  • Establish packet filters that allow the FTP
    server to initiate FTP data sessions.

59
Providing FTP Access in a DMZ
60
FTP Server Packet Filters
61
Making the Decision Securing FTP Traffic at
Market Florist
  • Establish packet filters at the external firewall
    to allow only TCP port 20 and TCP port 21 packets
    to reach the FTP server.
  • If active FTP clients exist, or if it is unknown
    if they exist, establish reverse packet filters
    that originate at the FTP server for TCP port 20
    and TCP port 21.
  • To provide maximum password security, allow only
    anonymous access to the FTP server.

62
Applying the Decision Securing FTP Traffic at
Market Florist
63
Applying the Decision Securing FTP Traffic at
Market Florist (Cont.)
  • Configure the FTP server to accept only anonymous
    connections.
  • Authenticated access is not required to download
    floral arrangement brochures.
  • John Coake and Pat Coleman will use Telnet from
    the private network to manage the data in the
    Ftproot folder.
  • To allow Telnet access from the private network,
    the internal firewall must either allow all
    access or restrict access to TCP port 23 on the
    MFFTP server.

64
Securing Mail Traffic
65
Common Protocols Supported by Mail Servers
  • Post Office Protocol v3 (POP3)
  • Internet Mail Access Protocol v4 (IMAPv4)
  • Simple Message Transfer Protocol (SMTP)
  • Lightweight Directory Access Protocol (LDAP)

66
Protect Protocols Using SSL
  • Implement Secure Sockets Layer (SSL) to protect
    POP3, IMAPv4, and LDAP.
  • These protocols use SSL encryption to protect
    user account and password verification during the
    authentication process.

67
Mail Server Packet Filters
68
Making the Decision Securing Mail Traffic
  • Determine which protocols will be allowed to
    access the mail server from the public network.
  • Establish packet filters at the external firewall
    to allow only the necessary ports to connect to
    the mail server.
  • Establish restrictions on SMTP relaying to
    prevent the mail server from becoming a source
    for unsolicited bulk e-mail.
  • Restrict the protocols that can be used to
    connect to the mail server from the private
    network.

69
Applying the Decision Securing Mail Traffic at
Market Florist
  • Market Florist must restrict the protocols that
    can connect to the mail server in the DMZ.
  • Only POP3 and SMTP will be used to connect to the
    mail server from the public network.

70
Applying the Decision Securing Mail Traffic at
Market Florist (Cont.)
  • Mail Server Packet Filters for Market Florist

71
Applying the Decision Securing Mail Traffic at
Market Florist (Cont.)
  • Mail Server Configuration
  • Allow only SMTP relaying if the user
    authenticates with the MFMAIL server before the
    e-mail client attempts the SMTP relay action.
  • Do not restrict use of network IP addresses,
    since the sales force will connect from unknown
    IP addresses.

72
Securing Application Traffic
  • Servers in the DMZ are often required to store or
    access data from an application server in the
    private network.
  • Configure the internal firewall to allow only
    specific protocols to pass between the server in
    the DMZ and the application server in the private
    network.
  • It is risky to place the application server in
    the DMZ because data stored on the application
    server might be compromised.
  • Ensure that only authorized connections between
    the server in the DMZ and the application server
    in the private network can take place.

73
Securing Application Traffic Managing the
Connection Between the Two Servers
  • Attach the server in the DMZ directly to the
    computer on the private network, using a
    crossover cable and a protocol other than TCP/IP.
  • Open the firewall to allow the native protocol to
    transfer between the server in the DMZ and the
    application server in the private network.
  • Use IPSec to encrypt the data transmitted between
    the server in the DMZ and the application server
    in the private network.

74
Securing Application Traffic SQL Server Packet
Filters for the Internal Firewall
75
Securing Application Traffic IPSec Packet
Filters for the Internal Firewall
76
Securing Application Traffic External Firewall
  • Public network clients are only allowed to
    connect to the Web server.
  • The public network clients do not query the SQL
    server on the private network.
  • The Web server actually performs the query on the
    external customers behalf.
  • For the transaction to occur, the external
    customer only needs to connect to the Web server
    using HTTP or HTTPS.

77
Making the Decision Securing Application Traffic
  • Determine which protocols are required to access
    the server-based component in the DMZ.
  • Configure the external firewall to allow only
    public network client computers to connect to the
    server in the DMZ.
  • Determine which protocols the server-based
    component uses to connect to the application
    server in the private network.
  • Determine the most secure method to connect the
    server in the DMZ to the application server in
    the private network.
  • Define the necessary packet filters at the
    internal firewall to allow only the required
    protocols to exchange data between the DMZ and
    the private network.

78
Applying the Decision Securing Application
Traffic at Market Florist
  • Market Florist must allow customers to connect to
    the SQL server on the private network.
  • All data transmitted between the Web server
    (MFWEB) and the SQL server (MFSQL) must be
    encrypted using IPSec transport mode.

79
Applying the Decision Securing Application
Traffic at Market Florist (Cont.)
80
Securing Terminal Server Traffic
  • Terminal Services allows an administrator to
    connect to servers on the network by using Remote
    Desktop Protocol (RDP).
  • Configure Terminal Services to run in Remote
    Administration mode rather than Application
    Services mode.

81
Securing Access to a Terminal Server
82
Terminal Services Packet Filters
83
Making the Decision Securing Terminal Server
Traffic
  • Configure the firewall to allow only connections
    to TCP port 3389, the RDP protocol, to pass
    through the firewall.
  • Configure the terminal server to use the highest
    level of encryption supported by the client
    computers, subject to local import and export
    laws.
  • If only administrative access to the terminal
    server is required, configure the terminal server
    to use Remote Administration mode.

84
Applying the Decision Securing Terminal Server
Traffic at Market Florist
  • Use Terminal Services to manage all servers in
    the DMZ from the private network.
  • Configure Terminal Services to use Remote
    Administration mode at all computers in the DMZ.

85
Applying the Decision Securing Terminal Server
Traffic at Market Florist (Cont.)
  • Terminal Services Packet Filters

86
Securing VPN Traffic
  • The organization must consider how the protocol
    affects the firewall and network infrastructure
    design.
  • Layer Two Tunneling Protocol (L2TP) and IPSec
    tunnel mode both use IPSec to provide encryption
    services to the tunnel.
  • IPSec cannot pass through a firewall that
    performs NAT on incoming and outgoing packets.

87
Securing PPTP Tunnel Traffic
  • Special considerations are not needed when
    placing a Point-to-Point Tunneling Protocol
    (PPTP) tunnel server in the network.
  • It does not matter if the external firewall
    performs NAT on incoming and outgoing packets.
  • The only requirement is to place the tunnel
    server in the DMZ.

88
PPTP Tunnel Server in the DMZ
89
PPTP Packet Filters at the External Firewall
90
Securing PPTP Tunnel Traffic Protect the Active
Directory Database
  • Deploy the PPTP server as a member of a workgroup
    rather than as a member of the domain.
  • To support domain authentication, configure the
    tunnel server as a Remote Authentication Dial-In
    User Service (RADIUS) client to a RADIUS server
    on the private network.
  • No additional encryption is required because the
    RADIUS protocol provides encryption services.

91
Securing PPTP Tunnel Traffic RADIUS
Authentication Filters at the Internal Firewall
92
Securing L2TP/IPSec Tunnel Traffic
  • L2TP tunnel connections do not allow placing the
    tunnel server behind a firewall that performs
    NAT.
  • Modify the DMZ configuration to meet this
    requirement.

93
L2TP Tunnel Server in the DMZ Using Public
Network Addressing
94
L2TP Tunnel Server in the Hybrid DMZ
95
Securing Access to an L2TP Perimeter Server
96
L2TP/IPSec Filters at the External Firewall
97
Making the Decision Securing VPN Traffic
  • Use public network addressing if the L2TP tunnel
    server is placed in the DMZ.
  • If the DMZ uses private network addressing as
    defined in RFC 1918, either
  • Establish an outer DMZ that uses public network
    addressing
  • Configure the L2TP server as a perimeter server
    with an interface on the public network to accept
    tunnel connections
  • Configure the external firewall to pass the
    tunneling protocol used by the tunnel server in
    the DMZ.
  • Configure the internal firewall to allow RADIUS
    authentication to a RADIUS server on the private
    network.

98
Applying the Decision Securing VPN Traffic at
Market Florist
  • The MFTUNNEL server is assigned an IP address of
    192.168.77.9, which is an RFC 1918-defined
    private network address.
  • The only tunneling protocol supported in this
    network infrastructure is PPTP.
  • Configure the firewall to allow the MFTUNNEL
    server to pass RADIUS authentication and account
    packets to the Internet Authentication Services
    (IAS) server at IP address 10.10.10.200.

99
Applying the Decision Securing VPN Traffic at
Market Florist (Cont.)
  • Tunnel Packet Filters at the Market Florist
    Firewall

100
Chapter Summary
  • Identifying firewall features to protect the
    extranet
  • Comparing DMZ configurations
  • Securing Internet Information Server (IIS)
  • Securing other services within the DMZ
  • Determining a firewall strategy
  • Securing DNS resolution traffic

101
Chapter Summary (Cont.)
  • Securing Web traffic
  • Securing FTP traffic
  • Securing mail traffic
  • Securing application traffic
  • Securing terminal server traffic
  • Securing VPN traffic
Write a Comment
User Comments (0)
About PowerShow.com