VLANBased Security for Modern ServiceProvision Networks - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

VLANBased Security for Modern ServiceProvision Networks

Description:

... between the complexity of the system and what's exposed to the ... One Large Packet Filter. VLAN-Based Firewalling. Router. 802.1Q VLAN Trunk. Switch Fabric ' ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 29
Provided by: billwo
Category:

less

Transcript and Presenter's Notes

Title: VLANBased Security for Modern ServiceProvision Networks


1
VLAN-Based Security for Modern Service-Provision
Networks
  • Version 1.0
  • October, 2001
  • Bill Woodcock
  • Packet Clearing House

2
We Have Linguistic Problems, not Technological
Problems
  • The technology is much, much more flexible than
    most peoples ability to comprehend the
    problem-space.
  • The problem is in finding a mental model which
    allows users to comprehend the problems and their
    solutions, not in finding a technology to solve
    the problem.

3
Legacy Firewall Terminology
  • Historical distinction between packet filtering
    firewalls and stateful-inspection firewalls no
    longer very useful in the real world.
  • inside, outside and DMZ nomenclature limits
    lay-peoples ability to understand security.

4
Old Enterprise Solution
  • Stateful-inspection box
  • Usually an application on top of Windows.
  • Immense differential between the complexity of
    the system and whats exposed to the operator.
  • Usually very slow.
  • Usually very low MTBF.
  • Three 10/100 Ethernet interfaces.
  • No protection against stepping-stone attacks.
  • No protection against untrusted users.

5
Stepping-Stone Attack
Attacker
Outside
Inside
Allowed Port
Vulnerable Server
Normal Server
6
Stepping-Stone Attack
Attacker
Attack Channel
Outside
Inside
Allowed Port
Vulnerable Server
Normal Server
7
Stepping-Stone Attack
Attacker
Control Channel
Outside
Inside
Allowed Port
Compromised Server
Normal Server Now At Risk
8
Stepping-Stone Attack
Attacker
Outside
Inside
Stepping-Stone Attack
Compromised Server
Normal Server Now At Risk
9
Stepping-Stone Attack
Attacker
Outside
Control Channel
Inside
Compromised Server
Normal Server Compromised
10
Untrusted User Attack
Outside
Allowed Ports
Intranet Server
Many Allowed Ports
DMZ
Inside
Untrusted User
Normal User
11
Untrusted User Attack
Outside
Allowed Ports
Intranet Server
Many Allowed Ports
DMZ
Inside
Attack Channel
Untrusted User
Normal User
12
Untrusted User Attack
Outside
Allowed Ports
Compromised Server
Many Allowed Ports
DMZ
Inside
Control Channel
Untrusted User
Normal User
13
Modern Firewalling
  • Dont add points of failure. Make full use of
    the high-MTBF equipment you already have.
  • Dont slow things down.
  • Dont invite Bill Gates into your network.
  • Security needs should define your security
    policy, not some coincidental number of physical
    interfaces on a box.

14
Simple Packet Filter
Outside
One Large Packet Filter
Router
Inside
Switch Fabric
15
Simple Packet Filter
Outside
One Large Packet Filter
Router
Inside
Switch Fabric
16
VLAN-Based Firewalling
Outside
Many Small Packet Filters
Router
802.1Q VLAN Trunk
Switch Fabric
Many Insides
17
VLAN-Based Firewalling
Outside
Many Small Packet Filters
Router
802.1Q
Switch Fabric
Insides
18
Relative Processing Speed
One large packet filter (40 lines)
Average exit after 20 lines
19
Relative Processing Speed
Routing process selects output ruleset
Ten small packet filters (4 lines each)
Average exit after 2 lines
Routing is cheap, ruleset processing is
expensive. Use the router for what its good at.
20
What This Looks Like Switch
  • hostname OAK-Switch-3
  • !
  • interface FastEthernet0/41
  • description VLAN_341-OAK_DNS-131.161.2.0/30
  • switchport access vlan 341
  • speed 100
  • full-duplex
  • OAK-Switch-3 vlan database
  • OAK-Switch-3(vlan) vlan 341 name
    VLAN_341-OAK_DNS-131.161.2.0/30
  • OAK-Switch-3(vlan) exit
  • APPLY completed.
  • Exiting....

21
What This Looks Like Router
  • hostname OAK-Firewall
  • !
  • interface FastEthernet0/0
  • description 802.1Q VLAN Trunk to OAK-Switch-1
  • no ip address
  • speed 100
  • full-duplex
  • !
  • interface FastEthernet0/0.341
  • description VLAN_341-OAK_DNS-131.161.2.0/30
  • encapsulation dot1Q 341
  • ip address 131.161.2.2 255.255.255.252
  • ip access-group ACL-341-OAK_DNS-IN in
  • ip access-group ACL-341-OAK_DNS-OUT out
  • !
  • ip access-list extended ACL-341-OAK_DNS-IN
  • permit udp host 131.161.2.1 eq domain any
  • permit udp host 131.161.2.1 any eq domain
  • permit tcp host 131.161.2.1 any eq domain

22
Example With VPN Endpoint
Outside
Router
Rulesets
802.1Q Trunk
Switch
Access Ports
VPN Endpoint
Server
23
Example With VPN Endpoint
Traffic enters network from the commodity network
Rulesets
24
Example With VPN Endpoint
Rulesets
First ruleset guarantees that only IPSec traffic
will reach the VPN endpoint
VPN endpoint is protected against non-IPSec attack
25
Example With VPN Endpoint
Rulesets
IPSec traffic enters outside of VPN endpoint
26
Example With VPN Endpoint
Rulesets
Decrypted IP traffic leaves inside of VPN
endpoint
27
Example With VPN Endpoint
Rulesets
Second ruleset defines which internal resources
VPN users are allowed access to
Users who have undergone visual authentication
are differentiated from those who may have left a
home terminal logged in
28
Example With VPN Endpoint
Third ruleset defines which services are
accessible on a particular server
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "VLANBased Security for Modern ServiceProvision Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!